A malicious app impersonating a phone call recording utility in Google Play Store managed to steal thousands of euros from a couple of bank customers in Europe.
The malware was planted in QRecorder app, advertised as an automatic call and voice recording tool. At the time of the analysis, it had been downloaded over 10,000 times.
Once installed, the malicious app could intercept text messages and ask for permission to cover other applications with its interface.
These capabilities allow it to capture two-factor authentication codes users receive via the SMS and to control what the user sees on the screen.
ESET security researcher Lukas Stefanko says that the audio recording features worked as expected, so victims would have no reason to be suspicious of harmful activity.
According to Stefanko, the operator sends their instructions to the app within 24 hours from installation, one of them being a scan of the device for specific banking apps.
Whenever a targeted banking app launched, the Trojanized QRecorder covered it with a phishing screen that collected login credentials and passed them to the attacker.
The Czech Television says that the malware targets apps from Raiffeisen Bank, as well as ČSOB and Česká Spořitelna two of the largest banks in the Czech Republic.
Stefanko’s analysis revealed that the number of financial institutions the malware monitored was much larger, with Air Bank, Equa, ING, Bawag, Fio, Oberbank, and Bank Austria being also on the list.
“Based on language mutations used in the app and payload, I can say the main targets are German, Polish and Czech banks. For different banking apps are created different payloads targeting particular apps. However, I could not obtain decryption key and identify all targets,” he says.
Banking Trojan is a BankBot variant
The malware has been identified as Razdel, a variant of BankBot (Anubis I) mobile banking Trojan that is not as widespread.
Security researchers ThreatFabric analyzed Razdel and found that its targets change from one campaign to another, depending on the region targeted by its operator.
It looks like the 10,000 downloads made at least two victims, who lost about EUR 10,900, a Czech publication informs (Czech).
However, the app may have stolen smaller amounts from other victims, Filip Hrubý spokesman for Česká Spořitelna told the publication.
He was quick to point out that the institution monitors the bank accounts for suspicious outgoing transactions initiated from Android phones, and alert customers if unusual changes occur.
Surviving Google Play protection mechanism
Banking Trojans in Google Play is not unheard of. Lukas himself reported several of them at the beginning of the month, while Nikolas Chrysaidos of Avast shared details about a campaign that distributed this type of malware
Miroslav Dvořák, technical director at ESET, says that an internal analysis shows that QRecorder was originally a legitimate application, which explains the number of downloads, and added the malicious functionality in the last update.
The malicious QRecorder app analyzed by ESET researchers is no longer present in the official Android store.
The video below shows how the Trojanized QRecorder covers the interface of legitimate banking apps with its own login screen: