A mixture of known cyber attack techniques is being used to infect Android smartphones with banking malware. After inducing victims to register their cell phones on fraudulent websites, criminals contact them directly to install a malicious application capable of stealing credentials to access accounts at different financial institutions.
This is a targeted scam, according to experts at security firm ThreatFabric. Bank customers in Italy have been the main victim of the wave of attacks that also involve the use of customized tools, sold by criminals so that even those without much familiarity with technology can apply the scam. Such kits allow the easy creation of fake pages on behalf of Italian banks, in addition to registering victims who fall for the phishing message, notifying the bad guys so that the calls can be made.
The original SMS talks about the need to update the registration or problems with accessing the bank by phone and requests data such as cell phone number, branch, account and even credit cards. Then, a criminal identifies himself as a representative of the institution and directs the victim to install Copybara, a banking trojan that displays overlapping screens and proceeds to steal data.
The malware is a variation of the BRATA family, which has been targeting Brazilian customers since 2019 and also goes by the name Joker — not to be confused with the threat of the same name, which has been using fake apps on the Google Play Store to spread since last year. In the case of Copybara, the method of data theft is the insertion of fake overlay screens, in which information entered by users goes directly to the crooks’ servers.
Likewise, the screens also allow the pest to perform banking operations on the apps themselves in the background while the user sees the overlay. Copybara also has a remote access functionality that allows installing new malicious applications, replacing text in registration fields and receiving new commands from the control servers.
According to the researchers, TOAD (Phone-Advised Delivery) attacks are becoming more effective as Google strengthens Android’s security frameworks. Thus, the chance of success is increased by the interaction with the user himself and, although a mass dissemination is impossible, the recurring gains can also be greater.
Meanwhile, the safety recommendation for users is not to click on links that arrive via SMS, WhatsApp and other instant messengers. Registrations should only be completed when you are sure about the origin of the page, while telephone contacts, especially when they involve data requests or app installation, should only be answered from telephones and official contacts.
Source: Threat Fabric