UBEL — Android Credential Stealing Malware Active in the Wild

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
An Android malware that was observed abusing accessibility services in the device to hijack user credentials from European banking applications has morphed into an entirely new botnet as part of a renewed campaign that began in May 2021.

Italy's CERT-AGID, in late January, disclosed details about Oscorp, a mobile malware developed to attack multiple financial targets with the goal of stealing funds from unsuspecting victims. Its features include the ability to intercept SMS messages and make phone calls and perform Overlay Attacks for more than 150 mobile applications by making use of lookalike login screens to siphon valuable data.

The malware was distributed through malicious SMS messages, with the attacks often conducted in real-time by posing as bank operators to dupe targets over the phone and surreptitiously gain access to the infected device via WebRTC protocol and ultimately conduct unauthorized bank transfers. While no new activities were reported since then, it appears that Oscorp may have staged a return after a temporary hiatus in the form of an Android botnet known as UBEL.

"By analyzing some related samples, we found multiple indicators linking Oscorp and UBEL to the same malicious codebase, suggesting a fork of the same original project or just a rebrand by other affiliates, as its source-code appears to be shared between multiple [threat actors]," Italian cybersecurity company Cliffy said Tuesday, charting the malware's evolution.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top