BasBanke: Trend-setting Brazilian banking Trojan

[harlan4096]

BasBanke is a new Android malware family targeting Brazilian users. It is a banking Trojan built to steal financial data such as credentials and credit/debit card numbers, but not limited to this functionality. The propagation of this threat began during the 2018 Brazilian elections, registering over 10,000 installations to April 2019 from the official Google Play Store alone.

This malware can perform tasks such as keystroke logging, screen recording, SMS interception, and the theft of credit card and financial information. To trick users into downloading the malware, the authors advertise it via Facebook and WhatsApp messages. Campaign’s new URLs redirect victims either to the official Google Play Store or to a website hosting malicious APK packages.

The malicious applications hosted in Google Play Store disguise themselves as applications with supposed functionality such as a secure QR reader, a fake app for a real travel agency with travel deals, and – implementing a well-known trick – as an application to “see who visited your profile.” The most widespread malicious application is a fake version of CleanDroid, first announced in a paid advertisement on Facebook, and linking to the application hosted on the Play Store. This “miraculous” application promises to protect the victim’s device against viruses, to optimize memory space, and to save data when using a 3G or 4G connection. In reality it is a banking Trojan.

The number of targeted banking applications and websites is quite significant. A considerable number of Brazilian financial institutions and other popular websites such as Spotify, YouTube, and Netflix are on the target list. However, when it comes to stealing banking credentials, metadata such as the device name, IMEI, and the telephone number used by the victim are sent to a remote C2. Why pay special attention to this data? Well, fraudsters need it to mimic legitimate access to the account of the victim.

Continue Reading