In the last month, several samples have been detected of what appears to be a new bank trojan for Android. This potential new family shares certain similarities with Cerberus and Eventbot, although it doesn't seem to be either of the two due to certain key differences, such as the encryption of the data sent and received from the control server and the commands that can be executed on the device through the server.
We've discarded the possibility of it being a new iteration of one of these two families, since it doesn't present one of the most important characteristics that complicates their analysis: the encryption and obfuscation of text strings. In the case of Eventbot, we've recently detected samples that have taken a step even further in the encryption and obfuscation of strings, as we've already mentioned in our blog, therefore it's impossible for these samples to be a new version of this family.
It doesn't feature any significant new developments compared to the other families of Android bankers, and the theft of credentials follows the usual pattern: injections displayed through overlays. As soon as the user opens up the legitimate bank application, or any other non-bank application that's affected, the trojan detects the launch of the app through the accessibility service that it installs and initiates the overlay with a phishing website that's very similar to the login form of the application it's impersonating.
The theft of credentials is this family's main functionality, as is the case with other families of Android bank malware such as Cerberus, Anubis Bankbot, GINP or Eventbot. However, and like most malware families, it also includes functionalities that go beyond the theft of credentials, such as the theft of received and sent text messages, the sending of spam messages to contacts, or even the SMS flood attack that uses an infected device to overload a phone number indicated by the attacker.