A new banking trojan is actively targeting Android users in Brazil. Researchers have identified this malware as “BrazKing” which has evolved into a serious banking trojan aiming at Brazilian banks.
BrazKing Android Banking Trojan Evolved Further
Researchers from IBM Security have recently shared details about the BrazKing banking trojan campaign caught in the wild.
As elaborated in their post, the latest campaign first caught the attention of MalwareHunterTeam. Then, IBM researchers decided to analyze it deeply.
Specifically, BrazKing isn’t a new malware. Check Point Research has already shared a detailed analysis of it earlier this year. However, the latest campaign involves a new strain that is more potent RAT.
The old strain exploited accessibility services to detect the app in use and pull screen overlays from hardcoded URLs. However, the latest version works differently. As stated,
Now, it automates a call to the attacker’s server, requesting those matches on the fly. The detection of which app is being opened, is now done server side, and the malware regularly sends on-screen content to the C2. Credential grabbing is then activated from the C2 server, and not by an automatic command from the malware.
In this way, the threat actor earns the chance to decide the next move according to the target device.
Moreover, the new trojan variant also demonstrates improved screen overlay functionality. Instead of pulling off fake overlay screens, it now uses the SYSTEM_ALERT_WINDOW permission to “remain elusive”. The malware loads the fake overlay screens from the C2 and uses the TYPE_ACCESSIBILITY_OVERLAY to display the fake overlay as webview within the app via accessibility service.
The other spying activities like keylogging, screen recording, and accessing SMS and contacts continue as expected at the back.
Malware Active In Brazil
To spread this malware, the attackers are running phishing campaigns where the malware reaches the target systems via phishing pages. The malware mimics a Google service or an update to trick the user into approving the required permissions. After that, the trojan establishes itself on the device, logs details, and continues the intended malicious activities.
Currently, the researchers believe that the malware is under distribution by local threat actors.
Nonetheless, all Android users must avoid such attacks by avoiding clicking on suspicious links.