BasBanke is a new Android malware family targeting Brazilian users. It is a banking Trojan built to steal financial data such as credentials and credit/debit card numbers, but not limited to this functionality. The propagation of this threat began during the 2018 Brazilian elections, registering over 10,000 installations to April 2019 from the official Google Play Store alone.
This malware can perform tasks such as keystroke logging, screen recording, SMS interception, and the theft of credit card and financial information. To trick users into downloading the malware, the authors advertise it via Facebook and WhatsApp messages. Campaign’s new URLs redirect victims either to the official Google Play Store or to a website hosting malicious APK packages.
The malicious applications hosted in Google Play Store disguise themselves as applications with supposed functionality such as a secure QR reader, a fake app for a real travel agency with travel deals, and – implementing a well-known trick – as an application to “see who visited your profile.” The most widespread malicious application is a fake version of CleanDroid, first announced in a paid advertisement on Facebook, and linking to the application hosted on the Play Store. This “miraculous” application promises to protect the victim’s device against viruses, to optimize memory space, and to save data when using a 3G or 4G connection. In reality it is a banking Trojan.
The number of targeted banking applications and websites is quite significant. A considerable number of Brazilian financial institutions and other popular websites such as Spotify, YouTube, and Netflix are on the target list. However, when it comes to stealing banking credentials, metadata such as the device name, IMEI, and the telephone number used by the victim are sent to a remote C2. Why pay special attention to this data? Well, fraudsters need it to mimic legitimate access to the account of the victim.
Depending on the version of the malware, we found different targets – and they are all financial institutions. In addition, an extensive list of keywords defines what other brands or websites will trigger the keylogging procedure.
We have previously found a few malicious campaigns similar to this but with significantly reduced distribution when compared to BasBanke. Another difference is that BasBanke uses Facebook and WhatsApp as a mass distribution vector. Also, it appears to have sparked new ideas among Brazilian cybercriminal crews, by showing how easy it is to infect an Android device with a malicious application hosted in the official store. The attackers behind BasBanke have proved that the Play Protect feature is not enough to stop them and effectively block their malware. In fact, Basbanke is the forerunner of a larger malicious campaign that we’ll be reporting on soon.