Security News > 2021 > November > More Stealthier Version of BrazKing Android Malware Spotted in the Wild
Banking apps from Brazil are being targeted by a more elusive and stealthier version of an Android remote access trojan that's capable of carrying out financial fraud attacks by stealing two-factor authentication codes and initiating rogue transactions from infected devices to transfer money from victims' accounts to an account operated by the threat actor.
"It turns out that its developers have been working on making the malware more agile than before, moving its core overlay mechanism to pull fake overlay screens from the command-and-control server in real-time," IBM X-Force researcher Shahar Tavor noted in a technical deep dive published last week.
BrazKing, like its predecessor, abuses accessibility permissions to perform overlay attacks on banking apps, but instead of retrieving a fake screen from a hardcoded URL and present it on top of the legitimate app, the process is now conducted on the server-side so that the list of targeted apps can be modified without making changes to the malware itself.
"The detection of which app is being opened is now done server side, and the malware regularly sends on-screen content to the C2. Credential grabbing is then activated from the C2 server, and not by an automatic command from the malware," Tavor said.
"Should the user attempt to restore the device to manufactory settings, BrazKing would quickly tap the 'Back' and 'Home' buttons faster than a human could, preventing them from removing the malware in that manner," Tavor explained.
The ultimate goal of the malware is to allow the adversary to interact with running apps on the device, keep tabs on the apps the users are viewing at any given point of time, record keystrokes entered in banking apps, and display fraudulent overlay screens to siphon the payment card's PIN numbers and 2FA codes, and eventually perform unauthorized transactions.
News URL
https://thehackernews.com/2021/11/more-stealthier-version-of-brazking.html
Related news
- Android malware uses NFC to steal money at ATMs (source)
- New NGate Android malware uses NFC chip to steal credit card data (source)
- Cybercriminals Deploy New Malware to Steal Data via Android’s Near Field Communication (NFC) (source)
- New Android Malware NGate Steals NFC Data to Clone Contactless Payment Cards (source)
- SpyAgent Android malware steals your crypto recovery phrases from images (source)
- New Android SpyAgent Malware Uses OCR to Steal Crypto Wallet Recovery Keys (source)
- Beware: New Vo1d Malware Infects 1.3 Million Android-based TV Boxes Worldwide (source)
- New Android Malware 'Ajina.Banker' Steals Financial Data and Bypasses 2FA via Telegram (source)
- New Vo1d malware infects 1.3 million Android TV streaming boxes (source)
- New Vo1d malware infects 1.3 million Android streaming boxes (source)