BasBanke, also known as Coybot, is a banking malware for Android designed to steal banking credentials from Brazilian entities. It started its malicious activity at the time of the Brazilian elections of October 2018 and has recently reappeared.
The Trojan has targeted Brazilian banking entities since its inception and its attacks have been very intermittent, with new samples appearing fairly infrequently.
After several months of silence, new samples of this Trojan appeared recently that follow the family’s classic behavior. They all have the same functioning, and it is mainly the name of the application and its package identifier that have changed:
Samples detected in recent days
Although this Trojan’s infection vector has not been identified for sure, if we consider previous versions' infection vectors everything seems to indicate that it could have spread through messages from fake Facebook posts and fake WhatsApp messages.
Taking the names and logos that it uses as a reference, the fake Facebook and WhatsApp publications that may have been used to spread the malware would alert users of a fake update for Android and/or Google Play. In the following image we can see a false window shown by the malware in its first initialization after installation.
Image displayed by the app when launched after installation
This banking malware follows the same operating scheme as the rest of the banking Trojans for Android, which we have already discussed in previous posts or reports. It asks the user to provide login permissions and runs a service in the background to receive notifications when the user performs any action on the graphical interface.
This way, the malware receives information about the user's activity and the applications in which this activity is taking place.
Code that checks the package identifier of the app open in the foreground
In the above image you can see how the Trojan checks the package identifiers of the application that is running in the foreground. These identifiers arrive thanks to the accessibility service that the malware runs in the background.
We can also observe that this malware tries to hide the strings of the affected entities by encrypting them in Base64 and decrypting them when necessary. This detail does not make analysis by an analyst too difficult, but it can be a problem in the case of automatic analysis systems, since the string is not in a clear text format in the code.
Fake activity is displayed right away when one of the affected apps is opened
Once an affected application is detected, the Trojan displays an Android activity with a login form very similar to the original, with the aim of getting the user to enter their credentials, which are then sent to the control server.
In addition to using Base64 encryption to hide text strings, this malware also includes strings encrypted with AES, which are decrypted at the launch of the application for later use.
Strings encrypted with AES that are decrypted at launch
String decrypting routine
Another interesting detail of this malware is the similarity in one of its HTTP requests with a malware for Windows known as 'Pazera'. One of these requests sends data on the infected device, and it is interesting that this request is made against a PHP script called 'ponto.php', which is the same script that most of the 'Pazera' Trojans connect to in order to send precisely the same information related to the versions of the operating system and the infected system.
Request to 'ponto.php' similar to that of the 'Pazera' Trojans for Windows
This singularity could mean that the authors who are behind this malware could also be the developers of 'Pazera', although the 'Pazera' Trojan for Windows focuses on Latin American entities and this banker for Android only affects Brazilian entities.
Malware for Android is on the rise and every day there are more families of banking Trojans that threaten the users of different banking entities around the world.
The vast majority of current bankers follows the same modus operandi and uses 'overlays' to display a fake window requesting user login credentials. This window is displayed as soon as the official application of the banking entity is launched, making the user think that it is the legitimate application that is requesting the data, which is then stolen.
Taking the popularity and increase of this type of malware for Android into account, we must be alert in order to protect the data and money of the banks' end customers. Moreover, we must bear in mind that malware for Android is able to intercept received text messages, so the second-factor authentication mechanisms based on single-use passwords sent by SMS may not be effective at all. The implementation of other systems such as Behavioral Biometrics that are able to detect whether a user has been impersonated or manipulated throughout the session are really useful to protect the user and their information.