New trojan wave targets crypto wallets and banking apps

Cybersecurity researchers have found four active families of Android malware that are targeting +800 apps, including cryptocurrency wallets and banking apps. These malware use methods that most traditional security tools can’t detect.

Zimperium’s zLabs team released results tracking the trojans known as RecruitRat, SaferRat, Astrinox, and Massiv.

According to the company’s research, each family has its own command-and-control network that they use to steal login information, take over financial transactions, and get user data from infected devices.

Crypto and banking apps face new threats from multiple malwares

The malware families are a direct threat to anyone who manages crypto on Android.

Once installed, the trojans can put fake login screens on top of real crypto and banking apps, stealing passwords and other private information in real time. The malware then puts a fake HTML page over the real app interface, making what the company called “a highly convincing, deceptive facade.”

“Using Accessibility Services to monitor the foreground, the malware detects the exact moment a victim launches a financial application,” wrote security researchers from Zimperium.

According to the report, the trojans can do more than just steal credentials. They can also capture one-time passcodes, stream a device’s screen to attackers, hide their own app icons, and stop people from uninstalling them.

Each campaign uses a different bait to get people to fall for it.

SaferRat spread itself by using fake websites that promised free access to premium streaming services. RecruitRat hid its payload as part of a job application process, sending targets to phishing sites that asked them to download a malicious APK file.

Astrinox used the same kind of recruitment-based method, using the domain xhire[.]cc. Depending on the device used to visit that site, it showed different content.

Android users were asked to download an APK, and iOS users saw a page that looked like the Apple App Store. However, security researchers found no proof that iOS was actually hacked.

It was not possible to confirm how Massiv was distributed during the research cycle.

All four trojans used phishing infrastructure, text-message scams, and social engineering that played on people’s need to act quickly or their curiosity to get them to sideload apps that were harmful.

Crypto malware evades detection

The campaigns aim to get around security tools.

Researchers found that the malware families use advanced anti-analysis techniques and structural tampering with Android application packages (APKs) to keep what the company called “near-zero detection rates against traditional signature-based security mechanisms.”

Network communications also mix in with regular traffic. The trojans use HTTPS and WebSocket connections to talk to their command servers. Some versions add extra layers of encryption on top of these connections.

Another important thing is persistence. Modern Android banking trojans no longer use simple, one-stage infections. Instead, they use multi-stage installation processes that are meant to get around Android’s changing permission model, which has made it harder for apps to do things without the user’s explicit permission.

The report did not identify particular crypto wallets or exchanges within the +800 targeted applications. But because of overlay attacks, passcode interception, and screen streaming, any Android-based crypto app could be at risk if a user installs a malicious APK from outside the Google Play Store.

Downloading apps from links in text messages, job postings, or promotional websites is still one of the guaranteed ways for mobile malware to get into a smartphone.

People who manage their crypto on Android devices should only use official app stores and be wary of pop-up messages that ask them to download something.

The smartest crypto minds already read our newsletter. Want in? Join them.