Continuously cyber criminals are targeting mobile device, specially Android which is the most popular mobile operating. Earlier also many times we have noted the attacks on the Android device and iOS device as well. Mostly the attack is via malicious app, which have the ability to steal users data, gives attacker the remote access and also steal financial details.
With the same, a Security consultant firm, FireEye have discovers another malware for Android device which gives the Remote Access to the attacker. Two researcher from FireEye, Jinjian Zhai
and Jimmy Su, explain that the newly found malware identified itself as a “Google Service Framework” and disables any antivirus applications on an infected device before moving on to its primary tasks.
Features of Malware
If we have a look on the features of this malware, it can perform multiple task on the infected device.
and Jimmy Su, explain that the newly found malware identified itself as a “Google Service Framework” and disables any antivirus applications on an infected device before moving on to its primary tasks.
Features of Malware
If we have a look on the features of this malware, it can perform multiple task on the infected device.
- Data Leakage- Seal data from the infected device
- Financial data theft- Able to steal the bank details and information
- Remote Access- Gives the remote control to the attacker
How it Works?
The infected device would have an application on the home screen with the default Android icon named under Google Service Framework. Firstly it disable any of the antivirus application before proceeding to its task. When user click on the App it will ask for the administrative privileged. If the user grants permission, the app disables the user’s ability to uninstall and initiates a new running app called “GS.”
After that, users open the “Google Services” app, a notification pops up claiming that the app did not install, then the icon disappears. Within minutes, the researchers claim the application establishes a connection with its command and control (C&C) server.
Researcher claims that C&C ip is located in Hong Kong , but its not clear that the ip is a static server or of one of the victim IP which is controlled by any Remote Administration Tools (RAT).
Researcher found that the malicious app perform multiple task as like UploadDetail, UploadSMS, SendSMS, BankHijack, PopWindow, and Update.
Task it Perform
- As with the above task, malware first Upload Details from the infected device which consist users personal information, device ID and contact details.
- Secondly it controls the SMS functionality of the device, read and send the SMS from device without the users noticed.
- It also check for the any Banking application on the infected device and steal the banking details from the device.
When the malware detects the any of the banking apps, then the C&C uses this module to kill “com.ahnlab.v3mobileplus,” which is a popular anti-virus application available on Google Play. Once this is done, the “PopWindow” module displays a window notifying users that there is a new version of their banking app available. If the user takes the bait, the C&C will install a malicious version of the banking app while uninstalling the original version.
Researcher says that the 'Bank Hijack' features appears unfinished. The security firm FireEye notes that its developers are in the process of building a framework for bank account hijacking.
Malware Source
FireEye researchers finds that the malware has a ability to target bank details, and on their research they found malware targeting eight of the Korean Banks, could increase that number easily. Researcher have noted that tool’s user interface – that the criminals that developed the tool are based in Korea and targeting users in Korea as well. And the C&C server ip was also located in Hong Kong, which says that malware was designed in Korea.