Trojan works by injecting fake logins into legitimate apps.A new Android banking trojan, named SlemBunk, has been uncovered by FireEye’s security team, one that targets users utilizing mobile banking apps in different countries across the globe.
Besides ransomware, mobile banking trojans seem to be cyber-criminals’ favorite weapon of choice these days, with new families discovered every day.
SlemBunk, observed initially by FortiNet, and now by FireEye researchers, has been seen targeting 33 financial institutions, 31 banks and two online payment systems, but with a preference for Australian and US banks.
As usual with most mobile threats, infection occurs via side-loaded applications, installed from non-official sources.
Infection via a weaponized Android Flash Player delivered via adult sites
According to the researchers, in SlemBunk’s case, users accessing adult websites are tricked into installing a fake Android Flash Player app so that they can view the pornographic material.
This lets the trojan on their device, which immediately starts performing a series of nefarious actions, like gaining administrator privileges, communicating with a C&C server, watching over processes, and when the time is right, injecting a fake login page into legitimate banking applications.
Once login credentials are acquired, SlemBunk immediately sends them to the C&C server. Besides financial information, the trojan is also known to collect other types of data, such as login details for various social networks, high-profile Android apps, contact lists, SMS messages, and various other phone details.
SlemBunk is still active, even now
According to FireEye’s team, when they first spotted the trojan, it only had the ability to steal data from social networking apps, but during the past year, SlemBunk grew in sophistication and slowly but surely expanded its capabilities.
“As SlemBunk expands its coverage of banks, its code has also become more sophisticated,” FireEye said in its analysis. “The rise and evolution of the SlemBunk trojan clearly indicates that mobile malware has become more sophisticated and targeted, and involves more organized efforts.”
FireEye says it detected at least 170 different SlemBunk variants, and that its last detected C&C server was still very active, meaning that new users are currently being contaminated.