Android banking malware remains active when infected devices sleep to save power

Malware uses social engineering to bypass battery-saving process.

David bisson
David Bisson
@

Doze malware

A new Android banking trojan can stay connected with its command & control servers, even after infected devices have gone dormant.

At issue here is something known as Doze.

First introduced in Android 6.0 Marshmallow, Doze is a power mode that activates once a user hasn’t interacted with their device for a period of time.

Sign up to our free newsletter.
Security news, advice, and tips.

Once Doze is activated, the Android operating system restricts applications’ access to the network and other services on the phone to conserve battery…

Doze

…that is, unless it’s included in the Battery Optimizations exceptions allow-list.

Therein lies the rub. A malicious program simply needs to add itself to that allow-list.

To accomplish that aim, variants of the trojan Android.Fakebank.B are leveraging social engineering techniques. Specifically, they’re invoking REQUEST_IGNORE_BATTERY_OPTIMIZATIONS, a permission which is automatically approved and which causes a pop-up message to display to the user.

Prompt

Android.Fakebank.B disguises itself as a legitimate app – for instance, the Chrome browser – to trick a user into granting them the necessary permission.

Regardless of whatever mask it is wearing, you don’t want to click “Yes.” Dinesh Venkatesan of Symantec Security Response explains why:

“If the user accepts the prompt’s request, the malware will be added to the Battery Optimization exception whitelist, allowing it to stay connected to its attacker’s remote location even when the device is inactive.”

Battery optimisation

Once that’s all said and done, the malware has free reign to read a victim’s SMS messages, install shortcuts, and check the phone’s status.

The malware’s main functionality is to check to see if any of the following banking applications are installed on the infected device:

  • nh.smart
  • com.shinhan.sbanking
  • com.webcash.wooribank
  • com.ATsolution.KBbank
  • com.hanabank.ebk.channel.android.hananbank

If the trojan finds one of those apps, it will delete it and ask the user to install a malicious copy, at which point it can lay in wait to steal a victim’s banking credentials.

2013 101114 5645 99 3

To be sure, Android.Fakebank.B is far from the first malware that’s used social engineering, and it certainly won’t be the last.

With that in mind, users should maintain an up-to-date anti-virus solution on their devices and should never click on suspicious links or email attachments.

You should also be on the lookout for apps that request (an inordinate amount of) permissions that don’t coincide with their advertised functions, i.e. “Chrome” asking for to be placed on the Battery Optimization exceptions allow-list.

Common sense is your best friend when it comes to your digital security. Use it!


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.