TODDLER: Credential theft overlays and accessibility event logging


In January of 2021, a new family of previously undetected banking malware was discovered. The samples were found on the VirusTotal and Koodous malware analysis platforms.

Various antimalware engines were able to detect these applications as malware right from the get-go, mainly because they use the same strategies that other banking malware families often use to steal bank credentials, such as Cerberus and Anubis Bankbot. In this way, thanks to the platforms designed to detect these families, these analysis engines have been able to detect malicious functionalities and mark the applications as malicious.

As we'll see later on, this new banker isn't much different compared to all the other banking trojans that we can find in the world of Android devices. And it follows the usual credential theft strategies, which are based on the use of web injections that present the user with a WebView with a phishing page similar to the login interface of the affected entity.

The possible options for its spread that the attackers could have used will be discussed below. We will also delve into how this malware operates, including credential theft techniques as well as the theft of other information on the device. Take a look to our report you can download from here:

toddler-cover-report-list_EN

TODDLER: Credential theft overlays and accessibility event logging

Toddler is a new banking malware for Android, detected for the first time in January 2021. The technique for stealing banking credentials is still the same as that used by other families of banking malware for Android.

Phishing web injections displayed as overlays as soon as the launch of the affected banking application is detected is the main strategy for stealing the banking credentials of its victims. Thus, the malware operators trick the user into believing that the login window that appears actually corresponds to the legitimate application.

In addition to the theft of credentials through phishing overlays, Toddler also implements the theft of credentials through the log of accessibility events, specifically those related to the changes that occur in the text fields that are displayed on the login interface.

 

Posted by David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of Revelock’s development team, managing task distribution and negotiating with the Head of Technology.

MALWARE PROTECTION AND ALERTING

MALWARE PROTECTION AND ALERTING

buguroo’s cloud-based fraud detection delivers a straightforward solution for detecting and stopping today’s – and tomorrow’s malware threats. Banks and their customers can be protected from one of the most malicious threats in use by cybercriminals.

LEARN HOW BUGUROO SOLVE IT

Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video

DID YOU LIKE IT? SHARE IN YOUR SOCIAL COMMUNITIES.