LTS Secure Warning: Asacub evolves to steal money through mobile banking apps

Asacub Trojan was first detected in 2015. Asacub Trojan belong to AnorideOS.Asacub family, the first version of this malware was detected, analysed, and found to be more adept at spying than stealing funds. The Trojan has evolved since then, aided by a large-scale distribution campaign by its creators.

Technical Details

Although Asacub’s capabilities gradually evolved, its network behaviour and method of communication with the command-and-control (C&C) server changed little. This strongly suggested that the banking Trojans, despite differing in terms of capability, belong to the same family.

The data transmitted and received is encrypted with the RC4 algorithm and encoded using the base64 standard. The C&C address and the encrypted data were always sent to the C&C server via HTTP in the body of a POST request in encrypted form to the relative address /something/index.php.

The data transmitted and received is encrypted with the RC4 algorithm and encoded using the base64 standard. The C&C address and the encryption key (one for different modifications in versions 4.x and 5.x, and distinct for different C&Cs in later versions) are stitched into the body of the Trojan.

Impact

During installation, depending on the version of the Trojan, Asacub prompts the user either for Device Administrator rights or for permission to use Accessibility Service. After receiving the rights, it sets itself as the default SMS app and disappears from the device screen. If the user ignores or rejects the request, the window reopens every few seconds. After installation, the Trojan starts communicating with the cybercriminals C&C server. All data is transmitted in JSON format (after decryption). It includes information about the smartphone model, the OS version, the mobile operator, and the Trojan version.

  • Asacub can withdraw funds from a bank card linked to the phone by sending SMS for the transfer of funds to another account using the number of the card or mobile phone..
  • The Trojan intercepts SMS from the bank that contain one-time passwords and information about the balance of the linked bank card.
  • Also, this Trojan can autonomously retrieve confirmation codes from SMS and send them to the required number.
  • The user cannot check the balance via mobile banking or change any settings there, because after receiving the command with code 40, the Trojan prevents the banking app from running on the phone.

Recommended Actions

Follow the below actions, to prevent yourself from Asacub Trojan attack.

  • Avoid downloading apps from third party sources, or links provided in the SMS or in emails.
  • Always keep “Unknown Source” installation disable.
  • Verify app permissions before installing any app from the official store like google play store.
  • Always keep your mobile security app and OS up-to-date. Attackers mostly target outdated app or OS.

For more details, follow the link