Okay LogoOkay Logo

What can malware do? Mobile malware part 1

07/11/2019

artifact

So far in 2019, there has been a rapid growth of malware, particularly in the mobile banking sector. According to the latest report from Checkpoint the growth in banking malware has been more than 50% compared to 2018. At the same time, Kaspersky reported that 438,709 of their mobile users encountered a total of 3,730,378 financial attacks, which does not include other types of mobile malware. So, clearly, there is a lot of malware out there trying to target the financial sector. In this post, we’ll look at what malware can do once it is installed. Don’t worry, we’ll look at how malware spreads in the next post.

Understanding Malware

There might be several reasons for malware to target end-users, but the most common reason is to make a financial profit:

  • Banking malware tries to steal your credentials and empty your accounts

  • Spyware, as the name indicates, spies on you and transfer your personal information to the attacker. This might be used for blackmail later.

  • Ransomware typically encrypts the data stored on your device and tries to get you to pay to unlock your data.

  • Cryptominers use the processor on your phone to mine for cryptocurrencies

  • Adware shows ads as notifications or as floating windows on the screen

Triada and Triout

Two of the more common mobile malware suites in 2019 are Triada and Triout. Triada has even been found being preinstalled on cheap mobile phones from the far-East. 

Both Triout and Triada are modular collections of different software packages, such as for remote control of a device (a «RAT»), for communicating with other devices, and for gaining elevated access rights. Common to both Triada and Triout is that they have a laundry list of exploits that can be used to gain root rights on Android, which can give it rights far beyond what is possible with normal Android permissions.

Rooting Malware

Root access makes it possible for the malware to:

  • Gain access to the memory and storage of every single app. Triada even becomes part of every running application on Android. This makes it possible to even modify running apps, potentially modifying what happens inside them.

  • Hiding from the lists of running services and applications

  • Hiding from overviews of installed packages and programs

  • Read all files, including the databases used by web browsers to store your passwords

Root access makes it very hard to discover that the device has been infected, and the malware has basically the same access to the system as the software provided by the phone manufacturer. But, even without root access rights malware might be able to:

  • Read, hide and modify outgoing SMS messages, and recognize if they’re an OTP based on the sending number

  • Record calls and transfers the recordings to remote servers

  • Remote control the user interface, e.g. for automatically transferring money out of your account when you start your banking app

  • Display overlays on top of other applications, e.g to hide the real recipient of a money transfer

  • Transfer calls, e.g. when your bank calls you to ask why you’re transferring money to a casino in the Philipines

  • Log everything written through the keyboard (including your passwords)

The most efficient kind of malware is, of course, the kind that end-users aren’t aware of, and which only triggers exactly once when it is most profitable for the malware creators. An example would be when an attacker has figured out how to exploit a common banking app and has created a module that transfers money from any available account. Malware infection is not stand-alone, it depends on being updated from a command-and-control server, which can receive information and send commands and updates.

Learning from Malware

In the background of all of this, there is an entire ecosystem of malware authors and criminal gangs communicating through underground forums. Accessing these kinds of forums can be surprisingly easy, and it does not take much effort to find cheap prepackaged malware suites that can be used to remote control infected phones, software to run your own command-and-control servers, including various types of banking malware. Of course, it is not advisable to actually trust a service that you buy of a darknet Tor website, but it can be quite educational to see what is available out there.

In our next post, we’ll look at how malware spreads, and what you can do to avoid being infected.