Recently there has been a new Android malware which runs rampant that targets your bank credentials straight right off your fingertips. This is not a new case where phishing apps pretend to be a legitimate banking app just to steal your credentials. However, this time it keeps evolving and gets more deceitful.
The new banking malware on Android devices is named “Catelites Bot” that has the ability to pose and pretend as more than 2,200 banks. According to a combined research by SfyLabs and Avast the new phishing malware could be possibly linked to a previously busted Russian cyber gang who utilized the “Cronbot” which infected more than a million of users and stole nearly a million dollars.
Since we mentioned Cronbot; experts say that it has some key similarities with Catelites Bot. This time the latter is more sophisticated in a sense that a single malware can pose as more than 2,200 banks.
How does it disguise itself?
Most likely an internet connection is crucial for the phishing malware to function, because researcher Nikolaos Chrysaidos revealed that it has the capability to automatically and responsively retrieve Android banking applications’ logos and names from the Google Play Store, however the banking screens do not perfectly look like the legitimate banking apps.
How does it spread among users?
The phishing malware is spread through third-party app stores outside Google Play where fake apps are easily uploaded to the store just to be downloaded by unsuspecting users.
Once the user opts in to install the app, it will ask for administrator permissions. Once given, it releases the payload to your Android device.
So far, the malware is rampant on users in Russia according to Chrysaidos in which he also believe that the malware is in an early pilot stage. This means that there is a big possibility that the group behind the attacks could be looking to roll out the infection worldwide, aiming at bank customers around the globe.
Payload: Phishing in Action
The fake progressive phishing app uses forms that overlay the screen to fool users into entering their banking credentials. If data is entered they will be sent to the culprit, just like how a regular phishing website operates. Surprisingly the Catelites Bot has a lot of functions that are not yet deployed according to Avast and SfyLabs, which confirms the possibility of a more sophisticated version once the hackers plan to spread the malware worldwide.
Since the app looks like it is not yet in its final form, it could be possible that a version of this malware will be released where it will include a Zero Condition Permission function so that the app will not require the user to manually allow permissions. Most likely such zero condition permission function will work on Android 7.1 and below due to the vulnerability it possess.
It is best to keep your firmware and operating system updated all the time for those of you who values security overall.