There has been a 129% increase in Andorid banking trojans targeting banking apps in the span of only one year. A noticeable addition is cryptocurrency wallet apps, that are now part of every new Android banking trojan family.
New Android Banking Trojans like Medusa and others have fully adapted to performing on-device fraud attacks by automating the login sequence, checking the balance of the victim, and creating payments to money mules using Automated Transfer System modules. This attack vector is achieved by abusing the Accessibility features of the Android operating system.
To continue fortifying the on-device fraud strategy, adversaries also discovered that they can use native Android code to achieve screen streaming capabilities, making the attack less noticeable on the victim’s device.
The banking malware experts at ThreatFabric — a ThreatConnect Technology Partner — consider these developments a significant threat to mobile payments on the Android platform.
In this episode of the ThreatConnect Podcast, we talk about these disturbing trends with ThreatFabric CEO Han Sahin.
One of the most obvious catalysts that played an important role in The Rage we are experiencing are the source code leaks of two very effective bots, namely Anubis 2.5 and Cerberus: these leaks resulted in multiple private trojan versions actively targeting regions such as Poland, Spain, Turkey, and Italy (local actors).
We also noticed a very clear new trend adopted by Android banking families in the way they advertise themselves. From 2018 to mid 2020 Android banking trojans from families like Red Alert or Cerberus, had all adopted the Malware as a Service (MaaS) model: actors would rent their malware services on a subscription basis and would aggressively advertise their service on multiple dark web forums.
However, recent malware families, including Alien or Medusa among others, adopted a more reserved approach, limiting their exposure on public forums and using side-channels for the customers to communicate directly with the vendor.