Asacub Evolves from Simple Spyware to Full-On Android Banking Trojan

Share this…

Cyber-crooks secretly develop new Asacub Android malware, deploy it for the first time this Christmas. Over the past six months, security experts from Kaspersky have observed the slow evolution of the Asacub malware from simple spyware that sniffed info about the device to a full-blown cyber-threat capable of collecting banking information, opening a backdoor on infected phones, and installing ransomware.

First detected in June 2015 as Trojan-Banker.AndroidOS.Asacub, the malware was a simple app that infected Android devices and collected data, sending it to a C&C (command and control) server.

The first version of Asacub gathered information such as the list of apps a user has installed on their mobile device, their browser’s history, and their contact list. Optionally, the malware could also send SMS messages and turn off the user’s screen on command. That was it.

Asacub slowly evolved during the summer

Things quickly evolved, and in July, only after a month, Kaspersky researchers saw the first Asacub evolution, with its authors adding the option to steal SMS messages and intercept and delete SMS texts, a feature needed for whenever the trojan was used to validate and then hide fraudulent transactions.

With each passing month, Asacub added more and more new features, like the capability to mute phones, turn off the screen but leave the CPU running, and even a remote shell that gave attackers access to the phone’s console, a classic backdoor.

The biggest and most important upgrade was in September, when Asacub was updated to show phishing screens for various banking apps (Russia, Ukraine, the US). Additionally, the malware was also updated to forward calls if needed, make USSD requests, and even download and install other apps from the Web (useful when installing ransomware).

Asacub was only recently deployed against Android users

Despite all these features, Asacub activity remained low, with an infection here and there. Things changed on December 28, 2015, when Ascaub infections sky-rocketed and continued to remain at high numbers ever since.

Right now, only the mobile banking features are used, even if the malware is capable of other more intrusive operations.

“Asacub is an all-in-one hacker asset,” the Kaspersky team noted. “It could be used for phishing, malware distribution or even blackmailing. As it looks now, the adversaries are just testing out the available toolset, and there are reasons we should anticipate massive campaigns.”

Sample phishing screen shown via Asacub

Sample phishing screen shown via Asacub