New Android malware banking family was recently found targeting users from Brazil. Trojans are distributed not only through Google Play store but also on Facebook through promoted ads. Android banker impersonates a performance improving app called “Clean Droid” with over 500 installs, a Facebook monitor app “Quem viu teu perfil” with over 10,000 installs and “MaxCupons” with over 1,000 installs from the official app store. To stay under the radar, the app can only be downloaded and installed in Brazil. I reported all these apps to Google security team.
The earliest recorded infiltration has been available for more than a month, uploaded on September 13, 2018. There are also two Facebook pages, where one of them distributes Clean Droid infiltration. Both pages were created on October 24, 2018 using the same profile picture as the one on Google Play. One of the pages uses Sao Paulo, Brazil as their address to attract more people from that particular region.
Once installed and launched, the apps request to activate Accessibility services, so that the infiltration can get the name and the content of the application that has been launched – in this case it is user input and activity text. The purpose of this app is to lure users into inserting their credentials into a fake activity that belongs to the infiltration. This trojan family targets at least 26 mobile apps. The malware does not only target mobile banking apps but also financial, multimedia entertainment, social media, shopping and other applications. When I analyzed this Trojan, the attacker’s server was down, and I could not retrieve any phishing activity, however, I created a video of the first launch for illustration purposes.
Here is the list of package names or their parts – such as Uber, so that it could target as many different types of services as possible.
The attacker did not implement any advanced uninstall protection, so it is not particularly difficult to uninstall infiltration from an infected device.
Go to Settings -> Apps/Application manager -> CleanDroid/Quem viu teu perfil/MaxCupons -> Uninstall
|App name||Number of Installs||Hash|
|Quem viu teu perfil||10,000+||F6A18F93534EE68FD86A8CD3087B87BA|
Targeted package names:
br.com.gabba.Caixa br.com.original.bank com.itau com.mercadolibre com.bradesco br.com.bb com.contextlogic.wish com.santander.app com.santandermovelempresarial.app com.taxis99 alibaba.aliexpresshd brainweb.ifood .uber la.foton.brb.myphone .spotify .netflix .recarga android.webmotors com.itaucard com.hipercard com.credicard com.paypal.android com.android.vending com.facebook com.novapontocom.casasbahi com.b2w.americanas .netshoes