BankBot - Android Banking Malware

BankBot is an Android malware family which keeps making its way into the official Google Play store despite Google's efforts to remove it. The malware has been active since the beginning of the year.

Threat ID:: CC-1363
Category:: Spyware, Trojan
Threat Severity:: Low
Threat Vector:: Download
Published:: 27 April 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

BankBot is an Android malware family which keeps making its way into the official Google Play store despite Google's efforts to remove it. The malware has been active since the beginning of the year.

Affected platforms

The following platforms are known to be affected:

Android

Android OS

Threat details

Despite best efforts to remove BankBot from the Play store, it re-emerges, evading detection attempts. The malware targets several banks including ING, Barclays, Santander, Citi and others.

BankBot is believed to be based on the source code of an Android malware variant which was leaked earlier in the year. Security researchers believe the actors behind BankBot have taken the source code from the unnamed malware and improved it by adding the capability of evading Google's scan for malicious content.

Another function which has been added is the ability to intercept SMS messages in order to gain two-factor authentication. In addition, BankBot also harvests credentials for other apps including social media and other retail applications.

If a device is successfully infected by BankBot, it will attempt to gain root access and remove the application icon from view. It will then compare installed applications against a large list of applications which the malware is able to target and if any exist on the device, it will prompt the user to enter credentials for that service. Finally, BankBot communicates with its Command and Control (C2) server and sends any stolen data.

Threat updates

Date	Update
25 Aug 2017	BankBot continues to develop; the latest variant of BankBot managed to bypass Google security checks and was seen available for download on Google Play Store masquerading as two applications. The two applications were downloaded approximately 5000 times before they were removed. Once downloaded the applications act as a dropper for BankBot. The trojan will wait 20 minutes before it attempts to socially engineer the user to give the application accessibility permissions. If successful, the trojan will then use the accessibility functions to install BankBot without the users permission.

Date

Update

25 Aug 2017

BankBot continues to develop; the latest variant of BankBot managed to bypass Google security checks and was seen available for download on Google Play Store masquerading as two applications. The two applications were downloaded approximately 5000 times before they were removed.

Once downloaded the applications act as a dropper for BankBot. The trojan will wait 20 minutes before it attempts to socially engineer the user to give the application accessibility permissions. If successful, the trojan will then use the accessibility functions to install BankBot without the users permission.

Remediation steps

Type	Step
	Before installing applications, read user reviews which may highlight anything suspicious. Ensure an anti-virus application is present on Android devices Ensure that user data is regularly backed up. Be aware of what permissions an application is requesting.

Type

Step

Before installing applications, read user reviews which may highlight anything suspicious.
Ensure an anti-virus application is present on Android devices
Ensure that user data is regularly backed up.
Be aware of what permissions an application is requesting.

Last edited: 17 February 2020 11:27 am