Home Malware Programs Trojans Banker.BR

Banker.BR

Posted: April 22, 2020

Banker.BR is yet another mobile banking Trojan that originates from Brazil and targets users in Latin America. The positive news is that this threat is in a rather poor state, which should make it easy to recognize by reputable mobile anti-malware software – however, users who have not taken sufficient measures to protect their mobile devices from malware may end up in a lot of trouble if they get infected by the Banker.BR.

It seems that the authors of the Banker.BR are relying on bogus messages that lead users to a corrupted website that asks them to download an 'enhanced security app' – as you can probably tell, it will not be a legitimate download and, instead, users will end up fetching a copy of the Banker.BR Trojan. Once this threatening application is launched on their devices, it will collect some basic information about the phone – IMEI, operating system, SIM ID, and more. It also will abuse Android's accessibility options to grant itself additional permissions that would enable it to monitor the user's activity. Therefore, the malware will be allowed to spawn a fake pop-up as soon as the user visits an online banking portal.

This Brazilian Mobile Banker Relies on Overlay Phishing

This banking Trojan works by executing an overlay phishing attack – when the user visits one of the banking portals that the malware supports, it will spawn a fake pop-up that asks for the user's login credentials. The pop-ups are designed very poorly, and all they include is a logo of the user's bank – many people are likely to notice that there is something out of the ordinary, but users who do not spot the obvious scheme may end up providing the attackers with their bank account login credentials unknowingly.

In addition to trying to phish the login credentials of the victim, the Banker.BR Trojan also will try to monitor and collect SMS messages – this feature allows is to bypass two-factor authentication (2FA) security measures by fetching confirmation codes from the victim's phone.

Banker.BR's phishing overlays are made poorly, and the Trojan's code appears to be as basic as it can get – all identified samples use the same hardcoded Command and Control server, which means that they will be dysfunctional if this server is taken down. Furthermore, Banker.BR does not attempt to detect virtual environments and sandboxes, so it was very easy for malware researchers to analyze its activity in a controlled environment. Last but not least, Banker.BR's code is not obfuscated at all.

Although this is one of the less advanced banking Trojans to originate from Brazil, it can still be a major threat due to its ability to phish out login credentials and monitor text messages to bypass 2FA measures.

Loading...