- Jul 22, 2014
- 2,525
Just as security experts have predicted, the source code of a potent Android banking trojan that was leaked online in mid-December 2016, is now being seen in live attacks on a regular basis.
At the time of writing, security researchers have observed three different campaigns that involved this trojan, which an unhappy customer leaked online on a Russian-speaking underground hacking forum on December 19, last year.
With the source code available to anyone, it took crooks around a month to craft their own version of this Android banking trojan and start distributing it online via malicious applications hosted on third-party app stores.
Three campaigns already detected
Dr.Web security researchers spotted this first campaign around mid-January 2016, and they say crooks only targeted the customers of several Russian banks.
A second and third campaign came to light over the past two weeks, after ESET researchers came across two separate apps on the official Google Play Store.
Both the second and third campaigns shared the same modus operandi, leading ESET researchers to believe they might be the work of the same group.
Crooks sneaked two infected apps inside Google's Play Store
For each of these latter campaigns, crooks took a legitimate Android weather app, embedded the banking trojan in its source code, repackaged the app, and successfully uploaded the app in the Play Store, passing Google's Bouncer security scanner.
According to ESET researchers, who discovered and reported the apps to Google's reviewers, the name of these two applications were Good Weather (cloned after the eponymous app) and Weather (cloned after the World Weather app).
For the second campaign, distributing the Good Weather malicious clone, attackers configured the banking trojan to show fake login pages for the apps of 22 Turkish banks.
Third campaign was the most sophisticated
More details in the link above
At the time of writing, security researchers have observed three different campaigns that involved this trojan, which an unhappy customer leaked online on a Russian-speaking underground hacking forum on December 19, last year.
With the source code available to anyone, it took crooks around a month to craft their own version of this Android banking trojan and start distributing it online via malicious applications hosted on third-party app stores.
Three campaigns already detected
Dr.Web security researchers spotted this first campaign around mid-January 2016, and they say crooks only targeted the customers of several Russian banks.
A second and third campaign came to light over the past two weeks, after ESET researchers came across two separate apps on the official Google Play Store.
Both the second and third campaigns shared the same modus operandi, leading ESET researchers to believe they might be the work of the same group.
Crooks sneaked two infected apps inside Google's Play Store
For each of these latter campaigns, crooks took a legitimate Android weather app, embedded the banking trojan in its source code, repackaged the app, and successfully uploaded the app in the Play Store, passing Google's Bouncer security scanner.
According to ESET researchers, who discovered and reported the apps to Google's reviewers, the name of these two applications were Good Weather (cloned after the eponymous app) and Weather (cloned after the World Weather app).
For the second campaign, distributing the Good Weather malicious clone, attackers configured the banking trojan to show fake login pages for the apps of 22 Turkish banks.
Third campaign was the most sophisticated
More details in the link above