Toddler is a new banking malware for Android, detected for the first time in January 2021. The technique for stealing banking credentials is still the same as that used by other families of banking malware for Android.
Phishing web injections displayed as overlays as soon as the launch of the affected banking application is detected is the main strategy for stealing the banking credentials of its victims. Thus, the malware operators trick the user into believing that the login window that appears actually corresponds to the legitimate application.
In addition to the theft of credentials through phishing overlays, Toddler also implements the theft of credentials through the log of accessibility events, specifically those related to the changes that occur in the text fields that are displayed on the login interface.
2020 has been a year marked by a virus, not one of the ones we usually talk about, but a biological one. COVID-19 monopolized people's attention the past year, including among malware developers. A large part of malware families, both banking and non-banking, have tried to take advantage of the health crisis through fraudulent campaigns in which their creations were distributed as if they were contact tracing apps.
In this report we have reviewed some of the most active and interesting families of banking malware that 2020 has given us, including those designed to steal credentials in Windows as well as those for Android.
As with a significant part of the Brazilian banking malware, this one focuses on the theft of credentials through keylogging and includes the option to steal the credentials stored in browsers, although its developers haven't even bothered to implement this functionality and have limited themselves to using legitimate tools.
The list of affected banking entities is also the usual list when it comes to Brazilian banking malware, including entities from Chile, Mexico, Spain, and Portugal, and also including other uncommon entities from other countries such as Italy and Bolivia.
One aspect of its functionality that stands out is the operators' special interest in disabling the antivirus software that is installed on the victim's computer, while trying to avoid detection.
In order to steal the victim's credentials, this trojan logs the keystrokes that occur on the computer and allowing the attacker to gain control of it and use it to carry out transactions without setting off fraud detection alarms.
Its developers have created a remote control tool (RAT), which allows them to have almost complete control over the infected system, allowing them to do more than just steal credentials if they so wish.
The attackers are using this trojan to steal money from the accounts of their victims, and to do so they are taking advantage of the sessions logged into on the entity's website, since the connection with the control server is established by a website that the user accesses on the entity's website.
Ghimob, the new banking trojan for Android, of Brazilian origin and which started its activity only a few months ago, is spreading like wildfire and affects banks all over the world.
The fact that its spread was discovered using Windows Guildma banking trojan control servers seems to indicate that both trojans share developers.
When it comes to banking malware, we find that the vast majority of families don't stick to the basic functionality of credential-stealing malware, but rather their developers try to maximize their ability to attract buyers.
The business isn't limited to trying to give the buyer as much functionality as possible, but they use the same marketing strategies as in any other legal business: promotions, trial periods for their products, etc.
This potential new family shares certain similarities with Cerberus and Eventbot, although it doesn't seem to be either of the two due to certain key differences, such as the encryption of the data sent and received from the control server and the commands that can be executed on the device through the server.
We've discarded the possibility of it being a new iteration of one of these two families, since it doesn't present one of the most important characteristics that complicates their analysis: the encryption and obfuscation of text strings.
Since March, there have been signs of a new trojan in the sphere of banking malware for Android. The name given to this new family is ‘Eventbot’. This is mainly due to the fact that the word ‘event’ is used in the malicious app package identifier, probably because of its novel functionality of using accessibility events to steal credentials.
Most banking trojans use accessibility events to detect when an application is opened, before showing a webinject with a phishing form that siphons off the victim’s credentials.
BasBanke, also known as CoyBot, has been very active in recent weeks, in the form of new propagation campaigns for new samples in which it has not only supplanted other brands to make the user believe that it is a legitimate application, but has also impersonated to banking entities in specific versions that only affect said entities.
There have been no changes at a technical level with respect to past campaigns. However, the big news is the inclusion of new affected banking entities.
What should we expect in the future? For the future we can expect more malware, mainly Ransomware. Ransomware attacks increased significantly in 2019, and don’t only attack users anymore. .
There have been attacks on companies, seeking to obtain the greatest possible benefit. Hijacking user documents is one of the best ways to earn money, since users desperate to recover them may end up paying to do so.
Although malware for mobile devices has gained popularity in recent years due to the rise of smartphones, where almost anything can be managed today, desktop malware is still there.
Moreover, with the improvements introduced in threat detection, it is the malware developers who evolve and include increasingly complex functionalities to achieve their objective and steal banking credentials.
Theft of banking credentials is based on 'overlays' that are shown to the user when he or she starts the legitimate application of the affected bank. In addition to the use of 'overlays', GINP uses the same techniques as the rest of the Android banking Trojans to detect the start of legitimate apps, implementing an accessibility service that receives the events that occur in the user interface.
It is especially curious that this malware has gone from being a spy Trojan to being a banking Trojan which, additionally, only affects Spanish banking entities. This indicates that these samples are specially designed to affect Spanish users.
The samples arrived through our automatic malware analysis systems, and the propagation vectors used by the criminals could not be found in the study made.
Probably, as usual with this type of malware, the distribution of the malicious APK was effected through fraudulent web pages.
Trojans of the Host Modifier type are usually distributed through fake SPAM emails, in which it is common for the attacker to impersonate public agencies or companies. This modus operandi is not exclusive to this malware family, as we can see that there are other families that affect Latin American entities and also use these tricks.