Security firm FireEye disclosed in December the details of a Trojan that has been used to attack users of mobile banking apps. Researchers have now discovered the Trojan has become more sophisticated and difficult to detect.
Security researchers believe a well-organized group of attackers has transformed the Trojan into higher sophistication as part of their effort to expand the scope of their malicious campaign. Called SlemBunk, the Trojan is designed to display a bogus user interface on the devices screen after the malicious software detects a running mobile banking app.
Unsuspecting users are the more likely victims of this kind of scheme. The Trojan is able to feign the user interfaces of the mobile apps built by more than 30 banks across the world, with the first group of the Trojan being spread as fake copies of the mobile banking apps via a number of third-party app stores.
That means you will not find the apps on Google Play Store and Apple App Store. So basically, only mobile devices that have been rooted or jailbroken are the easy targets of SlemBunk because those devices are configured to install apps downloaded from third-party app stores.
More specifically, attackers use the drive-by download techniques in order to distribute the new versions of the Trojan. Users who visit porn sites are the primary targets. When they open a porn site, they would receive a notification that alerts them to download the updates for their Flash Player and an application programming interface in order to watch the video.
Users with no technical knowledge about what and how a legitimate Flash update is rolled out will certainly believe they are downloading the genuine update just to be able to watch the video later, with no regard for the risk that comes with it.
The native application scanner built into Android and even other legit antivirus apps will have a hard time detecting the APK that comes with the first download because it contains no malicious components, nor does it manifest any signs of malicious activity.
The Trojan hides its features that produce code and store that code in another APK within the device. The first app then loads the second APK into the memory and removed from the file system afterward. The second APK, although it does not show any malicious activities as well, contains the malicious payload.
The purpose of having a layer of steps for the attack is to make the attack difficult to detect and become more persistent, because the downloader will always find a way to download payload back to the device.