\n
PagBank application, targeted by PixStealer, implements an identity verification process before allowing the user to perform a Pix transaction. The process makes sure the device belongs to the owner of the bank account and requires the user to pass the following steps for each mobile device:
\nOnly when the documents and the selfie pass manual check on the bank’s side, Pix transfer is enabled on the device. These measures guarantee that stolen credentials and even SIM swapping is not enough to be able to perform Pix transactions. The danger of malware like PixStealer is that it actually bypasses all these checks as it’s running on the victim’s device that already passed the identification stage.
\nA standalone banker stealer that does not require a C&C connection is lightweight and almost undetectable, but lacks the ability to dynamically make adjustments. By looking for similar applications, we found another version of the same family which has multiple code similarities with PixStealer: manifest, logs messages, service and method names.
\n\nFigure 11: Example of similar logging functions in MalRhino (on the top) and PixStealer samples.
\nThe malicious application is a fake iToken app for Brazilian Inter Bank, with the package name com.gnservice.beta, and it was also distributed via Google Play Store.
\nThe MalRhino variant uses JavaScript via Mozilla’s Rhino framework to process Accessibility Events dynamically, depending on the top running app to provide the actor remote with code execution access. This technique is not commonly used on mobile malware and shows how malicious actors are becoming more innovative to avoid detection and get inside Google Play. The last time our researchers found RhinoJS used for malicious actions was by the Xbot banker malware in 2016.
\nJust like in the previous version, the malware shows the victim a message trying to convince them to give Accessibility permission:
\n\nFigure 12: “To continue, activate accessibility service from the iToken developed by Inter Digital Development”.
\nWhen it obtains Accessibility access, the malware performs the actions that are typical for this malware and implements them the same way as in the previous versions:
\nTo check if the top running application in the system is a supported banking app, the malware uses a package name. To avoid detection of banking package names strings inside the app, the malware reads the package name, calculates the MD5 checksum, and then compares it with the pre-defined list:
\n\nFigure 13: The malware checks the package name using MD5 hashes
\n\n Name \n | \nPackage Name | \nMd5 | \n
Inter bank | \nbr.com.intermidium | \n2ef536239b84195e099013cfda06d3dd | \n
NuBank | \ncom.nu.production | \n678212691ab75ea925633512d9e3b5f4 | \n
Next | \nbr.com.bradesco.next | \nd74e8b32e9d704633bd69581a15f55de | \n
Santander | \ncom.santander.app | \n38737771e1ddab60c062cd0be323e89b | \n
UOL PagBank | \nbr.com.uol.ps.myaccount | \n5b3deb74ec783b05645b3fff5d56667d | \n
Banco original | \nbr.com.original.bank | \n64679e8af5f494db86fb7b7312e79ba9 | \n
Table 1: List of bank applications targeted by MalRhino variant.
\nRhino is a JavaScript engine written fully in Java and managed by the Mozilla Foundation as open-source software. Malware developers used an open-source rhino-android library that allows executing JavaScript code with the bridge to Java code.
\nIf the running application is the one supported by the malware, it performs the request to the C&C server to get JavaScript code with Rhino JS “macros”:
\n\n\nFigure 14: The malware runs the GetMacroForPackage function (top) which requests the server for JS code according to the top running app.
\nThe response from the C&C server contains JavaScript code to be executed by Using the Rhino engine:
\n\nFigure 15: The malware executes JavaScript code inside the targeted app.
\nUsing Rhino JS engine the malware has the ability to perform remote code execution when a needed app is launched. AccessibilityService code contains various utility methods that are not used from Java code and are most likely intended to be triggered from the JavaScript code the malware gets from the C&C server. These utility methods include creating fake windows with PIN request, click on something, make gestures, input text etc.
Figure 16: The utility methods performing different actions using the Accessibility Service.
\nIn this article, we analyzed two significantly different versions of the banking malware. Both of them introduced new innovative techniques to perform different actions on victims’ mobile bank accounts. PixStealer version uses the Pix instant payment system to transfer all the funds in the victim’s account to an actor-controlled one by abusing the Accessibility Service on an unsuspecting user’s phone. The MalRhino version uses a JavaScript-based framework to run commands inside banking applications. With the increasing abuse of the Accessibility Service by mobile bankers malware, users should be wary of enabling the relevant permissions even in the applications distributed via known app stores such as Google Play.
\nCheck Point Harmony Mobile is a Mobile Threat Defense solution that keeps corporate data safe by securing employees’ mobile devices across all attack vectors: apps, network and OS
\nPixStealer
\n28e8170485bbee78e1a54aae6a955e64fe299978cbb908da60e8663c794fd195 com.pagcashback.beta
\nc0585b792c0a9b8ef99b2b31edb28c5dac23f0c9eb47a0b800de848a9ab4b06c com.pagback.beta
\n8b4f064895f8fac9a5f25a900ff964828e481d5df2a2c2e08e17231138e3e902 com.gnservice.beta
\nMalRhino
\n2990f396c120b33c492d02e771c9f1968239147acec13afc9f500acae271aa11 com.gnservice.beta
\n","status":"PUBLISHED","fileName":null,"link":"https://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/","tags":[],"score":0.9440940022468567,"topStoryDate":null}],"mapData":null,"topMalwareFamilies":null};