BankBot is a notorious family of Android banking trojans that emerged in 2017. It is designed to target Android devices, particularly in the context of banking and financial apps. BankBot variants are typically distributed through malicious apps, often disguised as legitimate or popular applications, and can be found on third-party app stores or through phishing campaigns.
In April 2017, researchers discovered a new form of Android-targeting malware using fake overlay screens to mimic existing banking apps and steal user credentials. Distributed as benign apps in Google Play, BankBot-infected apps were posing as 20 entertainment and mobile banking apps. This first version of BankBot targeted a small number of institutions.
In October 2017, fear widened as BankBot variants crept into over 150 banks in 27 countries. While there are some regional variations (for example, those targeting banks in the GCC region), BankBot is fundamentally a mobile phishing attack. Once it is installed and running on the device, BankBot phishes user credentials by:
- Checking the package information of apps installed on the device for one of the targeted bank apps.
- If one is found, BankBot connects to its C&C server, uploads the target’s package name and label, and sends a URL for the library that contains files used for the overlay webpage.
- BankBot monitors the device for the launch of any target bank app. The malware displays the overlay page on top of the legitimate app when the app runs.
- The overlay tricks users into believing they are using a legitimate app and phishes their credentials.
There are now many variations of the BankBot banking trojan. Some have targeted European banks, including several Polish banks. BankBot variants have also been disguised as seemingly legitimate apps, “Crypto Monitor,” a cryptocurrency price tracking app, and “StorySaver,” a third-party tool for downloading stories from Instagram. These BankBot variants use the same approach of displaying fake notifications and login forms from legitimate institutions and phishing user credentials on the overlay forms.
Threats Posed by BankBot to Mobile Banking Apps
- Data Theft: BankBot is primarily designed to steal sensitive financial information from the user’s device. Data theft includes login credentials for mobile banking apps and other financial services, such as usernames and passwords.
- Overlay Attacks: BankBot is known for its overlay attack techniques. It can display fake login screens on top of legitimate mobile banking apps. Unsuspecting users may enter their credentials into these fake interfaces, which are then captured by the trojan.
- Keylogging: The trojan can capture keystrokes made by the user, including login information and other sensitive data entered into mobile banking apps.
- SMS Intercept: BankBot can intercept SMS messages on the infected device, including one-time passwords (OTPs) and transaction verification codes sent by mobile banking apps. This approach allows attackers to bypass two-factor authentication measures.
- Accessibility Service Abuse: BankBot may abuse Android’s accessibility services to gain control over the device’s functions and manipulate app interfaces, making it challenging to detect.
- Remote Control: Some BankBot variants can establish a connection to a command and control (C2) server controlled by attackers. This connection enables remote control of the infected device, allowing attackers to execute various commands, including unauthorized transactions.
Mitigating the Threat of BankBot
To protect your mobile banking app and its users from the BankBot banking trojan and similar threats, consider implementing the following security measures:
- Regular Updates: Keep your mobile banking app and its dependencies up-to-date with the latest security patches and enhancements to address known vulnerabilities.
- User Education: Educate users about the importance of downloading the official app from trusted sources, avoiding suspicious links or downloads, and being cautious with app permissions.
- Multi-factor Authentication (MFA): Encourage users to enable MFA for their accounts to add an extra layer of security.
- Real-time Monitoring: Implement real-time monitoring to detect and respond to suspicious activities within your app and network traffic.
- Secure Coding: Follow secure coding practices to prevent vulnerabilities in your app’s code, including input validation, data encryption, and secure API communication.
- Third-party Library Review: Carefully review and vet third-party libraries or components used in your app for potential security risks.
- Collaborate with Security Experts: Work with cybersecurity experts to conduct security assessments, code reviews, and penetration testing to identify and address your app’s security weaknesses.
- Incident Response Plan: Develop an incident response plan to respond to security incidents or breaches effectively.
By taking these precautions, you can help safeguard your mobile banking app and protect your users from the threats posed by the BankBot banking trojan and other evolving malware.
Learn More about Banking Trojan Families
BankBot is one of the principal families of banking trojans threatening mobile banking and financial apps. Learn more about other prominent banking trojan families:
- Medusa Trojan
- Cerberus Trojan