Mobile banking Trojan sneaks into Google Play targeting Wells Fargo, Chase and Citibank customers.
By Nikolaos Chrysaidos, with Niels Croese (SfyLabs) and Lukas Stefanko (ESET)
Recently, the mobile threat intelligence team at Avast collaborated with researchers at ESET and SfyLabs to examine a new version of BankBot, a piece of mobile banking malware that has snuck into Google Play on numerous occasions this year, targeting apps of large banks including WellsFargo, Chase, DiBa and Citibank and their users in the U.S., Australia, Germany, Netherlands, France, Poland, Spain, Portugal, Turkey, Greece, Russia, Dominican Republic, Singapore and Philippines.
The new version of BankBot has been hiding in apps that pose as supposedly trustworthy flashlight apps, tricking users into downloading them, in a first campaign. In a second campaign, the solitaire games and a cleaner app have been dropping additional kinds of malware besides BankBot, called Mazar and Red Alert (Mazar was recently described by ESET and we won't dive into the details here). However, instead of bringing light, joy and convenience into their users' lives, the dark intention of these apps has been to spy on users, collect their bank login details and steal their money.