BankBot is a malware targeting Android OS, and has appeared in the Google Play Store in different forms, often impersonating well-known application icons or names.The predecessor of this malware, BankBotAlpha, was first published back on December 19th, 2016, in a Russian forum as a new initiative to build an Android banker from scratch. The complete code for this malware and its command and control (C&C) panel in PHP is available online. As of April 2017, there are 141 variants as reported by Fortinet in their analysis of this malware. All variants use the internal name com.example.livemusay.myapplication with the known names and icons used by the malware being:

MMS Flash Player 11 Adoby Flash Player
(with a ‘y’)
Play Market Update Game Launcher My Application Kate Mobile
MMS Flash Icon Adoby Flash Icon Play Market Update Icon Game Launcher Icon My Application Icon Kate Mobile Icon

Admin privileges are gained via system prompt to user for Application Permissions. These are used to collect information like IMEI, bank applications present on the device, OS version, presence of root, and other sensitive functions.It is claimed that injection works in versions of Android up to 6.0 (Marshmallow).

When an infected device runs a targeted banking application, the malware takes control and replaces the actual screen of the application with their own phishing page which imitates the original application. Cautious users may be able to determine the difference, but many users will not be able to. The example below shows an example Qiwi Wallet phishing screen vs. an actual Qiwi wallet screen.

Native QiwiWallet Example BankBotAlpha022web.png
Unaltered Qiwi Wallet Screen BankBot Phishing Screen

Once the user inputs their credentials, their data is sent to the C&C, where it is saved in a database. All the data is sent to the C&C server through SMS and HTTP protocol.

From a general point of view, BankBot and BankBotAlpha are very similar in their action and in code, still the difference between them is that BankBot packs more features than the alpha version, with AV detection, a higher number of banking apps controlled, messaging applications monitored, sometimes even obfuscation.

Enabling the TSCritical targets in your user policy will add protection against Bankbot and BankBotAlpha while devices are connected to your ThreatSTOP DNS and IP Firewall Services protected network. If you do not have a ThreatSTOP account Sign up for a free trial.

If you do have a ThreatSTOP account, instructions to add targets to DNS or IP Firewall policies are available on the ThreatSTOP Documentation Hub, or contact our Support team.