A fraudulent app impersonating a phone call recording functionality in the Google Play App Store managed to take away thousands of euros from a couple of bank customers in Europe. The malicious app was planted in a QRecorder app, being advertised as an automatic call and voice recording tool.
At the time of the analysis, it has been downloaded by over 12,000 users.
Once installed, the malicious app could intercept SMS messages and ask for the user’s permission to take over other applications with its graphical user interface. These capabilities allow it to capture 2FA (Two-Factor Authentication) codes that users receive via the SMS and to control what the user sees on the screen. Wow, talk about a hostile device takeover.
Lukas Stefanko, an ESET security researcher says that the audio recording features worked very well as expected, so victims would have no reason to be suspicious of any harmful activities. According to Stefanko, the operator sends their instructions to the app within 12-24 hours from installation.
When a targeted banking app launched, the Trojan-infected QRecorder covered it with a phishing screen that collected login credentials and passes them on to the cyber attacker.
The Czech Television says that the Trojan-infected malware targets apps from Raiffeisen Bank, as well as ČSOB and Česká Spořitelna, two of the largest banks in the Czech Republic. Stefanko’s analysis revealed that the number of financial institutions the malware monitored was much larger, with Air Bank, Equa, ING, Bawag, Fio, Oberbank, and Bank Austria.
“Based on language mutations used in the app and payload, I can say the main targets are German, Polish and Czech banks. For different banking apps are created different payloads targeting particular apps. However, I could not obtain decryption key and identify all targets,” he says.
Banking Trojan is a BankBot variant –
The malware has been identified as Razdel, a variant of BankBot (Anubis I) mobile banking Trojan that is not as widespread. Security firms ThreatFabric analyzed Razdel and found that its targets change depending on the region targeted by its operator. It looks like the 12,000 downloads made at least two victims, who lost about EUR 10,900, a Czech publication informs (Czech). However, the google play app may have stolen smaller amounts from other victims, Filip Hrubý spokesman for Česká Spořitelna told the publication
Miroslav Dvořák, technical director at ESET, says that an internal analysis shows that QRecorder was originally a legitimate application, which explains the number of downloads, and added the malicious functionality in the last update. As of this writing, the malicious QRecorder app analyzed by ESET researchers is no longer present in the official Android store.