Last May, the “K” Department (from Russian Ministry if Internal Affairs) operation finished with the disruption of a cyber gang whose main purpose was money theft, using differente Android trojan familes (https://xn--b1aew.xn--p1ai/news/item/10304447/)
Group IB collaborated in the research and disruption, called “Cron”. S21sec has been monitoring this botnet activity, and now we want to share our own research.
The report focuses on the analysis of one of the Android malware families mentioned. This Android Banker variant was detected by S21sec at the end of October 2016 and since then it has been working in order to know its characteristics, functionalities and elements that determine the potential risk.
The appearance of this malware is associated with the growth of the threat that in recent years has been a ecting mobile phone users.
The variant of malware that we are stopping today, unlike the previous examples, presents a much simpler cofiguration, with two clear main functionalities: the redirection of calls and the total control of the SMS messages, although in the last versions new features were detected.
Another key element from a diferential point of view with the rest of Trojans is the obfuscation of the code and the amount of daily samples of variants of said code that are being detected.
Another interesting feature is the information it extracts from the terminal. Once the malicious app is installed, it verifes the phone data, which operator it belongs to, if the mobile has a balance and the real target of the malware, and it is focused on Russian banks.