Acecard evolved from a simple information stealer to the most sophisticated Android banking trojan ever seen. The Android malware scene has a new top threat if we are to believe the security researchers from Kaspersky Lab, who identified during the past months a massive campaign being carried out using the once-benign Android Acecard malware family.
First spotted in February 2014, Acecard was initially a simple sniffer that collected information on its victims, sending it to its C&C server. Many security researchers dismissed the trojan as a simple-minded tool and ignored it, focusing on other more sophisticated malware families activating at that particular moment.
As time went by, Acecard developers didn’t give up on their tool and slowly built its capabilities over the next six months, transforming the useless sniffer into a powerful phishing tool that could rival the most complex desktop trojans.
First Acecard attacks started in May 2015
In spite of a large set of offensive tools, Acecard remained a quiet threat, never used in real-world attacks until May 2015, when it was first deployed against Australian banks.
From May and up to September 2015, Kaspersky’s security team observed over 6,000 Acecard attacks, the majority against Russian, German, and Australian users, but also against banks in France, Spain, the US, the UK, Turkey, and Austria.
Researchers explain that, since its early days in 2014, Acecard has amassed the biggest collection of phishing interstitials in the Android ecosystem.
Kaspersky says that the trojan is currently capable of accurately mimicking 32 banking and payment systems (including PayPal), the Google Play and Google Music payment screens, and the payment interfaces of 17 Russian banks, complete with their SMS-based verification stage.
But that’s not all that Acecard did. They also expanded the trojan’s phishing overlay capabilities to include social networks such as Twitter, Facebook, and Instagram, the Gmail Android client, and IM apps like Skype, Viber, and WhatsApp. These overlays aren’t used to phish for banking-related information, but to steal login credentials, which are subsequently transmitted to the Acecard C&C servers.
As for its distribution channels, Kaspersky says that most of the time the trojan is spread via spam email that lures users to third-party app stores. In most cases, the trojan is advertised as a version of Adobe Flash for Android or as an Android pornography app called PornoVideo.
It is worth mentioning that Adobe stopped developing the Flash client for Android in 2012, so it’s about time that users stop falling for this four-year-old gag.
Acecard developers didn’t stop here, though, and on December 28, 2015, Kaspersky detected the trojan packed inside a game distributed through the official Play Store. Google removed it at Kaspersky’s warning.
Acecard developers are working on a ransomware feature
Another kink in Acecard operation was the recent addition of a “lock” command, which seems to be initial support for transforming the phishing and banking trojan into a full-blown ransomware.
Acecard is not the first Android malware piece that tries to combine banking trojans and ransomware, something similar having been discovered by Palo Alto Networks last week in the Android Xbot malware.
If you need a quick review, currently, some of the top malware threats to the Android ecosystems include Acecard, Xbot, Mazar BOT, and Asacub. Stay safe by installing only the apps you need, and only from the Google Play Store.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.
