Android banking malware found on Google Play with over 10,000 installs targets Brazil

By Lukas Stefanko

New Android malware banking family was recently found targeting users from Brazil. Trojans are distributed not only through Google Play store but also on Facebook through promoted ads. Android banker impersonates a performance improving app called “Clean Droid” with over 500 installs, a Facebook monitor app “Quem viu teu perfil” with over 10,000 installs and “MaxCupons” with over 1,000 installs from the official app store. To stay under the radar, the app can only be downloaded and installed in Brazil. I reported all these apps to Google security team.

Figure 1. Courtesy of @defesa_digital
Figure 2. Infiltration available for download for more than a month

Distribution

The earliest recorded infiltration has been available for more than a month, uploaded on September 13, 2018. There are also two Facebook pages, where one of them distributes Clean Droid infiltration. Both pages were created on October 24, 2018 using the same profile picture as the one on Google Play. One of the pages uses Sao Paulo, Brazil as their address to attract more people from that particular region.

Figure 3. Facebook page for Clean Droid
Figure 4. Facebook page with address in Sao Paulo, Brazil

Functionality

Once installed and launched, the apps request to activate Accessibility services, so that the infiltration can get the name and the content of the application that has been launched – in this case it is user input and activity text. The purpose of this app is to lure users into inserting their credentials into a fake activity that belongs to the infiltration. This trojan family targets at least 26 mobile apps. The malware does not only target mobile banking apps but also financial, multimedia entertainment, social media, shopping and other applications. When I analyzed this Trojan, the attacker’s server was down, and I could not retrieve any phishing activity, however, I created a video of the first launch for illustration purposes.

Targeted applications

Here is the list of package names or their parts – such as Uber, so that it could target as many different types of services as possible.

Figure 5. Malware targeted apps to steal credentials from

Malware removal

The attacker did not implement any advanced uninstall protection, so it is not particularly difficult to uninstall infiltration from an infected device.
Go to Settings -> Apps/Application manager -> CleanDroid/Quem viu teu perfil/MaxCupons -> Uninstall

IoC

App nameNumber of InstallsHash
Quem viu teu perfil10,000+F6A18F93534EE68FD86A8CD3087B87BA
MaxCupons 1,000+3AF6DEAC02F825DDEAF0AC2EAA013FF3
CleanDroid 500+DA7ABC91B29F8B2F33FEB1B1EDDC979A

Targeted package names:

br.com.gabba.Caixa
br.com.original.bank
com.itau
com.mercadolibre
com.bradesco
br.com.bb
com.contextlogic.wish
com.santander.app
com.santandermovelempresarial.app
com.taxis99
alibaba.aliexpresshd
brainweb.ifood
.uber
la.foton.brb.myphone
.spotify
.netflix
.recarga
android.webmotors
com.itaucard
com.hipercard
com.credicard
com.paypal.android
com.android.vending
com.facebook
com.novapontocom.casasbahi
com.b2w.americanas
.netshoes

Acknowledgment

This analysis would not be possible without @defesa_digital who discovered this threat and @MalwareHunterBR who informed me about it.