SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

Android Banker steals Credit Card information and targets certain Banking apps (March 7, 2016)


Dell SonicWall Threats Research Team received reports of an Android Banker malware that targets specific banking applications and steals Credit Card credentials. We have been actively blogging about similar Android Banker malwares in the recent past on our blogs. Some of the targeted banks are similar to the ones we observed in the past, however this time the attack appears to be targeted in nature owing to Russian language used in some parts of the code and traces observed in other places like the SMS messages sent from the app.

Infection Cycle

The malicious app requests for the following permissions during installation:
  • Bind device admin
  • Get tasks
  • Access network state
  • Modify audio settings
  • Device power
  • System alert window
  • Access wifi state
  • Update device stats
  • Change wifi state
  • Internet
  • Wake lock
  • Read sms
  • Receive sms
  • Read external storage
  • Write external storage
  • Read phone state
  • Send sms
  • Receive boot completed
  • Read contacts
  • Call phone
  • Change network state
Once installed the app requests for Device Administrator privileges, a service called RService keeps running in the background that contains bulk of the functionalities.

The malicious app performs a number of activities, few of the malicious ones are as listed below:

  • Stealing credit card information

  • If the victim opens Google Play, an overlay is shown asking for the victim's Credit Card details. This overlay is downloaded from

  • Stealing bank related information

  • The malicious app monitors presence of certain targeted banking applications. If any of these targets are opened on the infected device an alternate login page is shown to the victim. The credentials entered will be sent to the attacker thereby compromising sensitive account related information.

    The fake logins are hosted on the attackers server and are downloaded by the app, these pages are then shown as an overlay over the corresponding targeted banking apps. The image below shows a logcat capture of the malicious application active on the device. Logcat is an Android logging system that shows debug information about apps currently running on the device.

    The image below shows few fake login pages of targeted banking apps hosted on the server

    During our analysis we did not see the fake login page being displayed properly on the device, however we did see an overlay on the login screen once the targeted banking apps were opened:

  • Additional observations

    • We observed SMS messages being sent from the device, most likely to report about the infection. Messages were sent to numbers belonging to Poland and Russia
    • The malicious app has the capability to send sensitive information about the victim to the attacker. Some of the information that is collected includes:
      - Phone number
      - Contacts
      - SMS messages
    • We observed code in a lot of places and the SMS messages sent to be in Russian. This gives a strong indication about the targeted nature of this malware
    • The following banking applications were targeted by the malicious app we analyzed:
      - Commonwealth Bank
      - St.George Mobile Banking
      - Westpac Mobile Banking
      - National Australia Bank
      - Suncorp Bank

    Overall this malicious app has objectives that are similar to few other Android Banker campaigns that we analyzed in the past. It is possible that a common group is part of these campaigns that have been spreading in the recent past. There has been a steady evolution in these campaigns in terms of the components that are being added in each malicious application. We can expect more instances of similar apps in the near future.

    If you are a customer of one of these banks we urge you to pay careful attention towards the mobile applications you use to access the banking portal, additionally please keep an eye on the banking transactions and update your security measures (passwords, security questions) accordingly.

    MD5's with similar functionalities/components (servers):

    • 04c8e24f19308bd92e0bcdb6f02e8b4e
    • f0d8f97f545e94ae43d7182cf086c2bd
    • 84ad5035e5eb429879c1e10fc4460d17
    • 05e3162c984dcf66d0fcdd9e19e2f64f
    • 9877d0ad41b5589be300495c6acdd499
    • 50e4f35e3cec8c71d4e4a614dc26c418
    • 6b9108fced7ba89526823cc01b50df4e
    • 8c97d98823a2fd066878ff986c47d782
    • 63fd18f6cf1b40f13d35268d314ed8d4
    • 538ca97778ac886e121bc054574d7478
    • d1be01cc41ec9b9de2d89ffb22d737d5

    Dell SonicWALL provides protection against multiple versions of this threat via the following signatures:

    • GAV: AndroidOS.Banker.XB (Trojan)
    • GAV: AndroidOS.Banker.XB_2 (Trojan)
    • GAV: AndroidOS.Banker.XB_3 (Trojan)

    Back to top

    Back to SonicALERT

    Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
© 2020 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 16.0 | S1MSW06