Mobile banking customers in Brazil are once again being targeted with malware that can take over their devices, exfiltrate sensitive data and ultimately perform wire fraud.
This is according to a new report from cybersecurity researchers ThreatFabric, who recently spotted the campaign and wrote a technical analysis as a warning. As per the researchers, threat actors known as DukeEugene were sending out phishing emails, in which they tricked the recipients into downloading a dropper for Android, called Rocinante.
This dropper, usually impersonating banking apps and telecommunications firms such as Itaú Shop, Santander, Bradesco Prime, or Correios Celular, asks for permissions upon installation, including the dreaded Accessibility Service. Generally speaking, Accessibility Service permissions are reserved for system apps only, and if a commercial app asks for them, it’s usually a red flag signaling potential malware.
Abusing Accessibility Services
If the victim grants these permissions, they can expect to lose sensitive data, and give the attackers control over their mobile device, since in many cases the malware can serve fake bank login pages:
“This malware family is capable of performing keylogging using the Accessibility Service, and is also able to steal PII from its victims using phishing screens posing as different banks,” ThreatFabric said in its report. “Finally, it can use all this exfiltrated information to perform device takeover (DTO) of the device, by leveraging the accessibility service privileges to achieve full remote access on the infected device.”
The stolen data gets exfiltrated to a Telegram bot, the researchers further explained, where it’s served to the attackers in plaintext, ready to be used.
“The bot extracts the useful PII obtained using the bogus login pages posing as the target banks. It then publishes this information, formatted, into a chat that criminals have access to,” ThreatFabric said. “The information slightly changes based on which fake login page was used to obtain it, and includes device information such as model and telephone number, CPF number, password, or account number.”
Via The Hacker News
More from TechRadar Pro
https://cdn.mos.cms.futurecdn.net/De6HMXQy8UW49U2VR97BUN-1200-80.png
Source link