Antivirus company ESET reported that in October and November 2017, its experts discovered new ways to distribute the BankBot mobile banking machine. The cybercriminals have placed applications on Google Play designed to secretly download the Trojan to users' devices.
At the first stage of the campaign, Tornado FlashLight, Lamp For DarkNess and Sea FlashLight applications with malicious functions appeared on Google Play. At the second stage – applications for playing solitaire and software for clearing the device's memory.
After the first launch, the loader compares the programs installed on the device with an encoded list of 160 banking mobile applications. When it finds one or more matches, it asks for device administrator rights. Then, two hours after activating the rights, the download of the BankBot mobile Trojan starts – its installation package is disguised as a Google Play update.
All detected downloaders download the same version of BankBot from hxxp: //138.201.166.31/kjsdf.tmp. Downloading is possible only if the installation of applications from unknown sources is allowed on the user's device. If this option is not enabled, an error message will appear on the screen and the attack will not be able to proceed.
Once installed, BankBot operates in a typical mobile banking manner. When a user opens a targeted banking application, the trojan loads a fake login and password form. The entered data will be sent to cybercriminals and used for unauthorized access to the victim's bank account.