ACG-CYBER SECURITY BULLETIN NO 116 UNDERSTANDING TROJAN BANKBOT
The following information was obtained from the different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).
The information provided was classified as Restricted pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
BankBot is a banking Trojan designed to steal banking credentials and payment information. It often deceives the victims into handing over their bank details by presenting an overlay window which looks identical to the login page of a bank app. When the victim is using a two-factor authentication, the malware is capable of monitoring this in order to provide attackers with all the information they need to raid the victim’s banking information.
BankBot can be found in various Google Play Store apps despite the effort of Google to get rid of it. The newest version of this kind of malware seems to be benign software to avoid detection by Android security. When BankBot is initially installed on a device, the app asks for variety of intrusive permissions including but not limited to the ability to read and send messages, access the internet and write to external storage which provides the BankBot all the permissions needed to overlay fake login screen and extract the stolen information and send it back to the attacker.
The new BankBot has been hiding in apps that pose as supposedly trustworthy flashlight apps. It has been observed that solitaire games and cleaner app have been dropping additional kind of malware besides BankBot, to include Mazar and Red Alert. The affected apps include Tornado FlashLight, Lam For DarkNess and Sea FlashLight. Google exerted effort to remove some of the BankBot carrying apps from the Play Store within several days, but some remained active thereby infecting thousands of users.
PNP personnel and the public are advised to follow the tips in order to stay protected against BankBot Trojan:
- Deactivate the option in Google Play to download apps from other sources.
- Before downloading a new app, check the user ratings.
- Always pay attention to the permission that an app requests for. If a flashlight app requests access to contact, photos and media files, be extra cautious.
For additional information, please refer to the following websites:
POINT OF CONTACT