- 68
- 8
Researchers from Cyble Research and Intelligence Labs (CRIL) have discovered a new large-scale campaign distributing an Android Trojan aimed at stealing banking data and cryptocurrency accounts. The malware is already targeting users in at least ten countries and disguises itself as popular apps, including TikTok.
The attack begins with fake app download links. Once installed, the dropper displays a convincing Google Play update notification and step-by-step instructions for granting the necessary permissions.
Disguised as Google Play Services, the malware gains access to Android's Accessibility Service, allowing it to persist in the system and gain extensive control over the device.
The Trojan constantly monitors which apps the user launches and compares them against a built-in target list. This list includes over 180 banking, financial, and cryptocurrency apps. When the victim opens one, a phishing form appears over the legitimate interface, visually virtually indistinguishable from the real login page. The user enters their login, password, or confirmation code, unaware that the data is being sent to the attackers. The Trojan's capabilities don't stop there. Researchers discovered support for over 30 remote commands. Operators can manipulate the clipboard, simulate screen taps, display fake notifications, and perform other actions on the infected device. A separate threat is the screen streaming function. Using the standard Android MediaProjection API, the malware continuously captures the device's screen and sends JPEG images to the attackers' server. This allows for near-real-time monitoring of the victim's financial transactions and the interception of one-time verification codes. The Trojan's control infrastructure is divided into several communication channels. One port is used for operator commands, a second for telemetry of the infected device, and a third for transmitting a video stream from the screen. @ Anti-Malware
The attack begins with fake app download links. Once installed, the dropper displays a convincing Google Play update notification and step-by-step instructions for granting the necessary permissions.
Disguised as Google Play Services, the malware gains access to Android's Accessibility Service, allowing it to persist in the system and gain extensive control over the device.
The Trojan constantly monitors which apps the user launches and compares them against a built-in target list. This list includes over 180 banking, financial, and cryptocurrency apps. When the victim opens one, a phishing form appears over the legitimate interface, visually virtually indistinguishable from the real login page. The user enters their login, password, or confirmation code, unaware that the data is being sent to the attackers. The Trojan's capabilities don't stop there. Researchers discovered support for over 30 remote commands. Operators can manipulate the clipboard, simulate screen taps, display fake notifications, and perform other actions on the infected device. A separate threat is the screen streaming function. Using the standard Android MediaProjection API, the malware continuously captures the device's screen and sends JPEG images to the attackers' server. This allows for near-real-time monitoring of the victim's financial transactions and the interception of one-time verification codes. The Trojan's control infrastructure is divided into several communication channels. One port is used for operator commands, a second for telemetry of the infected device, and a third for transmitting a video stream from the screen. @ Anti-Malware