Android malware source code used to hijack banking details leaks online

Security experts are warning that Android users should brace for a potential spike in hacking attacks after the source code and step-by-step instructions about a piece of malware designed to steal banking credentials was leaked online via an underground forum.

Experts from Dr Web, a Russian anti-malware company, said the leak occurred sometime over the past month and that it had already resulted in a new variant of malware – dubbed BankBot – that is able to stealthily hide on a victims' phone and hijack personal details.

"[We] believe that this may lead to a significant increase in the number of attacks involving Android banking Trojans," the researchers warned in a blog post. After downloading and analysing the code, the experts found it is able to mirror popular services, including PayPal.

The Trojan is distributed on third-party app stores in the guise of Google-related services. Once it is downloaded, it asks for administrative privileges and if the victim unwittingly allows this it transforms into an effective – if somewhat traditional – banking threat.

Straight away, BankBot connects to the criminals' command and control (C&C) server and awaits further instructions. At the same time it is able to hide itself by automatically removing its shortcut from the device's home screen, the researchers said.

The escalated privileges gained by the malware then give an attacker the ability to send text messages; intercept call data; intercept text messages; obtain all contact list phone numbers; track device geolocation via GPS satellites, and more.

BankBot also checks the Android device for the presence of banking applications and payment systems including Sberbank Online, Sberbank Business Online, Alfa-Bank, PayPal, Yandex Money, Bank of America Mobile Banking, and Wells Fargo Mobile. Currently, the malware appears to be focused on targeting users based in Russia.

It has the ability to steal a victim's personal information by tracking the launch of applications including Facebook, Snapchat, WeChat, Instagram and Twitter. In each instance, it pops up a "phishing" screen that closely resembles the official Google Play dialogue box and asks for details.

This box requests personal information from the user, including banking data. When the infected phone received a text message, the Trojan is even able to turn off sounds and vibrations and send the message content directly to the cybercriminals, the Dr Web experts claimed.

The researchers warned other variants are likely to surface as the source code circulates and gets modded. "As cybercriminals created it with publicly available information, one can anticipate that many Trojans similar to it will appear," they added.

Lamar Bailey, a security expert at Tripwire, said: "Dumping malware code is [an effective] way to allow others to contribute to the code and modify it to help evade detection." The more mods, the harder it is for cybersecurity firms to detect, he added.

It's not the first time source code for Android malware has been leaked online. In February last year, GMBot, a highly effective exploit kit, was found on the Dark Web by experts from IBM. The Russian-made malware was a sophisticated banking and spyware tool that quickly spread.