BankBot Malware Once More Hits Google Play
The BankBot Android banking Trojan is back, managing to bypass Google’s security scans once more to reach the Play Store.
This particular banking trojan was first discovered back in January when the source code for an unnamed Android banking Trojan was dumped on an underground hacking forum. It didn’t take long before that source code was picked up and turned into BankBot.
So far, it was used to target banks in Russia, the UK, Austria, Germany, and Turkey. Now, thanks to some tweaks in the code, the malware can disguise itself in order to avoid the Google security scanner. By April, three different BankBot campaigns had been detected and Google took down the infected apps.
Unfortunately, other apps appeared in their place. This time around, after Dr. Web and ESET detected their share of campaigns, it’s time for Securify to step in. According to the Dutch security firm, two new BankBot campaigns have managed to bypass the security checks for the Play Store.
How does it work?
BankBot works by showing a fake login window on top of the legitimate banking app installed on a user’s device. In short, BankBot can be used to steal login credentials for banking apps, which is, obviously, very bad. It can also be used to steal login details for other apps, including Facebook, YouTube, WhatsApp, Snapchat, Instagram, Twitter, and even the Google Play Store.
The BankBot comes with some extensive capabilities, such as locking the user’s device like ransomware does, or intercepting your texts so it can bypass two-step verification.
Folks over at Securify have posted a list of 424 legitimate banking apps for which BankBot versions spotted recently were coded to target. The list includes apps for banks such as Santander, ING, Erste, Volksbank, ING, Eurobank, ABN AMRO, Garanti, HSBC, BNP Paribas and so on. The full list can be checked on Pastebin.