In the past, weve seen Android malware that execute privacy leakage, banking credential theft, or remote access separately, but this sample takes Android malware to a new level by combining all of those activities into one app, In addition, they continued, we found the hacker has designed a framework to conduct bank hijacking and is actively developing towards this goal.
We suspect in the near future there will be a batch of bank hijacking malware once the framework is completed.
Right now, eight Korean banks are recognized by the attacker, yet the hacker can quickly expand to new banks with just 30 minutes of work.
The package name of this new RAT (remote access tool) malware is com.ll and appears as Google Service Framework with the default Android icon, Android users cant remove the app unless they deactivate its administrative privileges in parameters.
So far, the Virus Total score of the sample is only five positive detections out of 54 AV vendors.
Such new malware is published quickly partly because the CNC server, which the hacker uses, changes so rapidly.
We cannot tell if its the hackers IP or a victim IP controlled by the RAT, but the URL is named after the unit ID and the UUID generated by the CNC server,
Given the unique nature of how this app works, including its ability to pull down multiple levels of personal information and impersonate banking apps, a more robust mobile banking threat could be on the horizon,
Read More
source: www.techworm.net
