Security News > 2021 > November > More Stealthier Version of BrazKing Android Malware Spotted in the Wild
Banking apps from Brazil are being targeted by a more elusive and stealthier version of an Android remote access trojan that's capable of carrying out financial fraud attacks by stealing two-factor authentication codes and initiating rogue transactions from infected devices to transfer money from victims' accounts to an account operated by the threat actor.
"It turns out that its developers have been working on making the malware more agile than before, moving its core overlay mechanism to pull fake overlay screens from the command-and-control server in real-time," IBM X-Force researcher Shahar Tavor noted in a technical deep dive published last week.
BrazKing, like its predecessor, abuses accessibility permissions to perform overlay attacks on banking apps, but instead of retrieving a fake screen from a hardcoded URL and present it on top of the legitimate app, the process is now conducted on the server-side so that the list of targeted apps can be modified without making changes to the malware itself.
"The detection of which app is being opened is now done server side, and the malware regularly sends on-screen content to the C2. Credential grabbing is then activated from the C2 server, and not by an automatic command from the malware," Tavor said.
"Should the user attempt to restore the device to manufactory settings, BrazKing would quickly tap the 'Back' and 'Home' buttons faster than a human could, preventing them from removing the malware in that manner," Tavor explained.
The ultimate goal of the malware is to allow the adversary to interact with running apps on the device, keep tabs on the apps the users are viewing at any given point of time, record keystrokes entered in banking apps, and display fraudulent overlay screens to siphon the payment card's PIN numbers and 2FA codes, and eventually perform unauthorized transactions.
News URL
https://thehackernews.com/2021/11/more-stealthier-version-of-brazking.html
Related news
- TrickMo malware steals Android PINs using fake lock screen (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- Android malware "FakeCall" now reroutes bank calls to attackers (source)
- New FakeCall Malware Variant Hijacks Android Devices for Fraudulent Banking Calls (source)
- New Android Banking Malware 'ToxicPanda' Targets Users with Fraudulent Money Transfers (source)
- Cyber crooks push Android malware via letter (source)