BankBot Malware Reappears As A Match-Three Android Game

September 26, 2017 - Written By Mark Real

The BankBot Trojan, a malware that steals sensitive banking information, has reappeared on the Google Play Store. It was first detected by one security firm in December 2016, and since then, several iterations of the software have surfaced after the source code of the malware was released online. According to security researchers at ESET, the developers of the latest iteration of the malware successfully hid the malicious code by incorporating the software into a Jewels Star clone called Jewels Star Classic, which is also a name of one legitimate Android game. Since its release on August 26 until its removal on September 7, the game was downloaded over 5,000 times. Twenty minutes after the game was downloaded, the software would ask the user to activate “Google Service” from the Android Accessibility menu. After the permission is granted, that same “Google Service” would set BankBot as the default SMS messaging application, activate administrator privileges for the malware,  and allow the device to install applications outside of the Google Play Store. Those actions would all happen underneath a fake update screen that prevents the user from controlling the device.

The malware would then use its administrator privileges to show a fake overlay asking for the user’s credit card information once the Google Play Store app is opened. Since BankBot is also the default SMS app, it could overcome two-factor authentication by reading the text messages received by the user and logging the information sent by the banks and other financial institutions seeking to verify their clients.

If the user is convinced that BankBot has affected their handset, ESET detailed certain steps to remove the malicious software. First, one needs to remove a “System Update” device administrator if it’s present on their device. After this step, the Google Update app and the one possibly infected by the malicious software should be removed by the user. Furthermore, it is advisable to stick to official app stores like the Google Play Store and check the ratings, reviews, and popularity of an app before installing it. Even if the malware is already entrenched in the smartphone, choosing other forms of two-factor authentication aside from text messages like Google Authenticator should reduce the chances of hackers accessing the users’ sensitive information.