Banking Trojan discovered in hacked Android games

omidomi

Level 71
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Apr 5, 2014
6,001
Doctor Web security researchers regularly register cases of Android mobile devices being infected with banking Trojans. To make malicious applications spread faster, virus makers usually masquerade them as benign programs. Android.BankBot.104.origin is not an exception because cybercriminals distribute this malware under the guise of a hack tool for mobile games and as a game cheating program.

This time, attackers focused their attention on those who prefer to play hacked games, which makes a gameplay easier and faster. To successfully distribute the Trojan, virus makers monitor whether the potential victim surfs the Web in order to find cheat codes for the game to simplify its walkthrough (for example, infinite gold, crystals, and so on) or they would like to download a hacked version of the favorite game. Thus, among the search results, the user sees links that lead to various fraudulent websites specially designed to trick naive gamers.



These websites can inform users about more than 1,000 different mobile games—thus, the search engine displays fraudulent links on top of the search results. It is noteworthy that all these resources have valid digital signatures, which makes them seem quite legitimate.

When the user tries to download a game from this site, they are redirected to another scam webpage that is used to spread Android.BankBot.104.origin under the guise of a hacked game or a game cheating software. In addition to this banking Trojan, the webpage can distribute other threats belonging to the Android.ZBot family.



Android.BankBot.104.origin is protected with a special packer that complicates an anti-virus detection of the Trojan and its analysis. One of its last modifications was named Android.BankBot.72; yet, given that attackers always create new repacked versions of the Trojan, this malware can be detected under different names. Android.BankBot.104.origin is an obfuscated version of Android.BankBot.80.origin, which means that its code is securely encrypted.



Android.BankBot.104.origin is installed on a mobile device as an application named “HACK”. Once launched, the Trojan tries to get administrator privileges and then removes its shortcut from the home screen.



After that, the Trojan determines whether there is an online banking application installed on the device, and how much funds are available on the user’s bank accounts. To do that, Android.BankBot.104.origin sends special SMS commands to banking systems numbers. If successful, the Trojan attempts to covertly transfer money from the victim’s bank accounts to cybercriminals’.

Moreover, attackers control the Trojan from the remote server. Thus, this malware can enable forwarding to the specified number, hide and intercept SMS messages, send text messages and USSD requests, and perform other malicious actions.

Doctor Web specialists strongly recommend to avoid visiting such-like dubious resources and downloading hacked mobile games and applications if you do not want to lose all the money from your bank accounts. Dr.Web for Android successfully detects all the known modifications of this Trojan, and, therefore, this malicious program poses no threat to our users.
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Sometimes way better to download games on Play Store only and if you know the game origin very well.

3rd party store opens new hole from those hacked android games alongside of other stuffs.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top