Endpoint Protection

 View Only

Android Lollipop and Marshmallow taste bitter for financial Trojan Bankosy 

Oct 07, 2015 09:02 AM

android-lollipop-bankosy-header.jpg

Last week, we posted a blog discussing how updates to the Android platform have impacted key functionalities of a group of malware families. Today, we are going to look at how one change is affecting a financial Trojan called Android.Bankosy, which was recently noted by Poland’s computer emergency response team (CERT).

When Android Lollipop was released in 2014, the getRunningTasks API was deprecated. Since then, the API only returns a subset of running tasks rather than getting all of them. This data may now only include the caller’s own tasks and other common details.

The output of the getRunningTasks API is central to Bankosy because the threat checks which application is currently in the foreground. The Trojan does this to determine if an application of interest (such as a banking or email app) is running, and if one is, then the malware overlays a window on top of the targeted application. The overlay window asks the user to disclose sensitive information related to the application, including the following:

  • User ID
  • Password
  • PIN

The following image shows an overlay window that Bankosy uses to steal information when the user opens an email application:

on_below_5.0_The_malware_overlay(injects)_LOB.png
Figure 1. Bankosy overlay window on top of a legitimate email application

Lollipop stops Bankosy
As Lollipop deprecated the getRunningTasks API, the code in Bankosy responsible for showing the overlay window is not triggered. The threat’s condition to check for a running app will always be returned as “false” because the API will not disclose the current running application, unless it is from a general app (such as Launcher) or is created by the caller of the function.

Figure 2 illustrates the general code pattern in other variants of the Bankosy family, showing how the “if” condition will never be satisfied thanks to how Lollipop’s limits the getRunningTasks API.

code_pattern_LOB.png
Figure 2. Common code pattern found in other variants of Bankosy

Symantec detects the malware as Android.Bankosy and recommends the following security best practices:

  • Keep your software up to date
  • Refrain from downloading apps from unfamiliar sites
  • Only install apps from trusted sources
  • Pay close attention to the permissions requested by an app
  • Install a suitable mobile security app, such as Norton, in order to protect your device and data
  • Make frequent backups of important data

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.