Labs - Malware Analysis

WebInject to mobile attack

Written by David Morán | Feb 27, 2018 1:29:10 PM

On multiple occasions, through bugFraud, we have detected WebInject attacks that begin with a computer banking Trojan and which, on account of the protection methods offered by banking institutions, have had to adapt to attack the mobile device.

Cybercriminals use different social engineering techniques to manipulate users with the intention of getting them to install an application in their mobile phones that serves to bypass the bank’s two-factor protection method (2FA) and even to retrieve more of the victim’s data in order to continue exploiting them at a later date.

One of our clients is constantly suffering from this type of attack; hence, here at buguroo LABs, we thought it would be a good idea to give you a general description of the threat, explaining how it works and how this threat type has adapted to other platforms.


Credential and banking data theft

The WebInject we are going to talk about checks specific fields on the banking institution’s website in order to detect which page the user is on.

If they are on the authentication or customer login page, the malware will steal the identification number and the password.

If, on the other hand, it has already been authenticated, it will try and retrieve banking information, such as active accounts and the available balance. In this way, the cybercriminal can find out what the victims are like and decide who to steal from at a later date.

Furthermore, in the WebInject analyzed, a specially-designed HTML is used to attempt to get the user to enter a debit card and their PIN in order to have more means at their disposal through which to steal money from the victim’s accounts.



Figure 1. Debit Card Theft

Tricking the victim

By using malware, the cybercriminal tries to make the victim think that their bank has a new security application and, in this way, manage to access their mobile device.


Figure 2. Device selection


Depending on the selection made by the victim, the WebInject will attempt to install an application that affects their mobile phone.

As there is no application for IOS in this attack, if the victim selects the Apple brand, they will be safe.

If, on the other hand, they should choose any of the other brands, it will try and get the user to download and install a malicious Android application.

APK installation

In order to ensure that the installation is successful, the browser will show the user what changes they have to make in their mobile device and will ask for a code generated by the malicious application so that the one which has been infected correctly can be viewed from its comprehensive list of victims.



Figure 3. Installation from unknown sources

SMS theft

Once the application has been installed, it requests privilege escalation and a change in the SMS management application. In this way, it will gain access to the SMS received and will process them in order to send them to the attacker’s control panel at a later date.


Figure 4. Reading received SMS


As we can see, banking Trojans have gradually evolved so that malware is already able to track all the devices connected to the victim in order to bypass two-factor authentication measures (2FA).

At the present time, protection against these attacks can be tackled from different perspectives. On the one hand, we can protect the user infected by the banking Trojan and block the WebInject detected or, on the other, we can detect the malicious application attempting to make changes in the mobile device. Finally, an Account Takeover can be detected and use of the stolen credentials blocked.

Our bugFraud solution serves to address these different perspectives and to protect both the victim and the organization and, in this way, prevent fraud.


Deep Learning for Online Fraud Prevention