Details of banking Trojan android virus Android.ZBot that steals credit card details through Web injections. Dr.Web detects a new mobile banking Trojan targeting Android users, a carefully placed with false payment forms to trick users into providing sensitive financial details.
Security experts have found the Trojan virus (Android.ZBot) in February for the first time, and so far seems only active in Russia, after infecting around 52,000 units in 20 different servers of C&C.
Dr.Web employees entitled to access to three of these botnets, where they had found 140-2300 affected android devices. Only 15 of the 20 botnets were at the time of the release of Dr.Web announcement are still active.
Infections occur through a fake Google Play Store application. Infection, as occurs in most cases, if users are careless enough to install third-party applications from unofficial Android app stores. For Android.ZBot, the offender will be disguised as official Google Play Store.
If this application is installed, it immediately asks for administrator privileges. If the user recognizes to refuse the false root privileges and the Trojan Horse, in a desperate attempt, shows a form of false payment on the user’s screen, trying one last time before the uninstalled trick. A desperate Hail Mary, but very inefficient.
On the other hand, if it is allowed to install, the Trojan horse hides itself from the home screen, ensures that every time the machine starts it begins with the collection of personal data of users.
Key Features of Android.ZBot allows you to see the use of smartphone and place the payment masterfully in other applications.
Trojan only targets the Russian banking applications, for now
These methods mimic the native user interface of payment of the application and introduced stripped with the WebView component without browser UI.
The Trojan do not works for all applications running on the mobile phone, but only for a selection list, the constantly updated and calls a C&C server, most of them are banking or financial applications related mobilized exclusively in Russia.
“Although this is a classic phishing attack, the way it is done in this particular case is very unique,” says Dr.Web team. “Even virus writers often call these malicious features such as injections Web, but is not the case, due to restrictions for Android, Trojans can not injecting external HTML code as one of the attacked dialog applications.”
Dr.Web researchers also said that pressing the Back button, if the trogan payment form pops out then it closes itself, an action to create the illusion that this form is actually a part of the application itself and next time people provide personal credentials or payment details and get robbed.