Nine years have passed since the first banking malware for Android mobile devices was discovered. It was 2010, and just a year and a half had passed since the launch of HTC Dream, the first smartphone with Android as its operating system.
This first banking Trojan did not steal bank login credentials as such, but was responsible for stealing authorization codes for banking transactions sent to the user by SMS. It was baptized "Zitmo" (Zeus-in-the-mobile), as it was used together with the Zeus banking Trojan for Windows. Attackers stole login credentials through Zeus, while Zitmo allowed them to steal authorization codes to gain access to hacked accounts and authorize fraudulent transactions.
Banking malware evolution
Android has changed since Zitmo appeared, and attackers' techniques for stealing banking data from infected users have changed along with it. One very striking point is that it is currently difficult to find a “banking malware” as such. Instead, most of the banking Trojans are much more than that. They are complex, multi-functional Trojans: SMS theft, contact theft, bulk SMS sending to contacts, ransomware, etc.
We have observed that over the years banking malware's operational scheme has not changed much, but its complexity has. From the beginning, bank credential theft has been based on showing 'overlays', windows that open above the banking application's legitimate window. These fraudulent windows basically contain a form very similar to the original; their objective is for the user to enter their credentials and send them to the control server.
Although there is currently banking malware for Android, it should be noted that the banking Trojans for Android are really complete spy Trojans, with much more functionality than that needed for the theft of banking credentials. This is because malware authors do not usually seek to infect their victims; they want to sell their software to third parties, who can configure all the functionalities that interest them in just a few steps and distribute the Trojan.
Credential theft with ‘overlays’
Among the most popular banking Trojans today are Anubis Bankbot and Cerberus. Other 'bankers' whose popularity has declined are RedAlert and Marcher. New samples from the latter two have been very rare for months, while Anubis and Cerberus are up-and-coming Trojans at the moment.
The technique used by all Android banking Trojans to steal login credentials is based on displaying 'overlays'. The malware obtains the complete list of applications installed on the device, something that is simple to do and does not require special permissions.
Once the installed applications have been identified, the Trojan can determine which of them it should attack. Next comes the most complex part: detecting the moment in which the application is initiated by the user. Once the malware has started, it will simultaneously open a window that simulates the window of the affected entity requesting the account login credentials.
To detect the launch of the affected application, banking Trojans usually implement an Android service. This service will check the list of active processes in the system again and again, to see if any of the affected applications is running at any time.
One of the ways used in Anubis to obtain the list of active processes is to use the Android API 'UsageStatsManager' class. Through this class, the malicious application is able to obtain the list of processes running and the last time they ran in the foreground. Thanks to this information, the Trojan is able to know what application is running in the foreground at all times.
Code responsible for obtaining the foreground application (Anubis)
By default, an application cannot have access to usage statistics if it does not request the 'PACKAGE_USAGE_STATS' permission, so the malware is obliged to request this permission at least.
Another usual permission is 'REQUEST_IGNORE_BATTERY_OPTIMIZATIONS', which allows the malicious application to continue its execution regardless of whether the user has energy saving settings configured. Remember that one of the problems of this type of malware is that they need to constantly run a service that checks the processes in execution.
Once it has been detected that an affected application is running, the malware quickly launches the 'overlay' with phishing. Showing the 'overlay' doesn't require any complex tricks, as an 'Activity' can be launched like any other Android application. The only drawback is that if the user presses the 'multitasking' button, they will be able to see all open applications, which includes the legitimate banking application and the malicious application's activity.
Code responsible for initializing the phishing 'WebView' (Anubis)
Most banking malware carries out its activity with the false login form using a 'WebView'. This 'WebView' will load a phishing website hosted on the malware control server, allowing the malware to simplify the development of phishing windows and update the style quickly if necessary.
Although most malware uses 'WebViews', some of them also include native activities. One example is Marcher.
To achieve persistence in the system and start the malicious service every time the system is started, these Trojans configure the 'receiver' 'RECEIVE_BOOT_COMPLETED' in the malicious service, which will allow the system to start the service when the system boots.
As we can see, shortly after the launch of the first smartphone Android attackers already saw the potential that mobile devices would have and developed the first banking malware, 'Zitmo'. However, it did not steal the credentials by itself; it acted as support for the 'Zeus' malware for Windows.
Over the years, the functionality destined to the theft of banking credentials has not evolved too much. However, malware authors seem to prefer an evolution based on the increase of functionalities, which allows them to have generic malware that includes several types in one.
This trend towards the development of generic malware not only allows them to obtain benefits through the theft of banking data; it also provides them with profits through other functionalities: ransomware, bulk sending of SPAM messages, etc.
Moreover, the generic development allows them to obtain economic profits without the need to infect users directly, selling malicious software through 'underground' forums on the 'deep web', which reduces difficulties and increases profit.