Fake reCAPTCHA hides malware in Android apps

In this phishing campaign the attackers are impersonating Google in attacks against banking institutions and their users

Network security and ethical hacking specialists from the International Institute of Cyber Security report the emergence of a new phishing campaign that targets online banking users. Campaign operators are impersonating Google to try to get the victim’s access credentials.

The campaign has impacted a banking institution in Poland and its customers. Attackers have passed the raid as a Google reCAPTCHA system and also use blackmail and intimidation for victims to click on malicious links included in emails sent by campaign operators.

The messages that the attackers send contain fake information about recent transactions with a link to a malicious file. In the message, attackers ask the victim to verify the transactions by clicking on the link.

Although so far this campaign does not seem different from any phishing attacks, network security specialists claim that this campaign is easily distinguishable in its second stage. Instead of redirecting the victim to a replica of the legitimate Web site, the victim finds a fake 404 error page.

The page has a number of specifically defined user agents that are limited to Google crawlers. If the request is not related to the Google crawler, in other words, alternative search engines are in use; then the PHP script instead loads a fake Google reCAPTCHA composed of JavaScript and static HTML.

“The page shows a very good replica of Google’s reCAPTCHA. However, because it is based on static elements, the images shown will always be the same, unless the malicious PHP coding is changed”, network security specialists report. “In addition, unlike legitimate reCAPTCHA, it is not compatible with audio playback”.

The browser agent is then re-verified to determine how the victim has visited the page. Once there, users will find a malicious APK reserved for Android users who complete the CAPTCHA and download the payload.

Some samples of this malicious software have already been analyzed. In most cases it can be found in its Android form and can read the status, location and contacts of a mobile device; Scan and send SMS messages, make phone calls, record audio and steal other sensitive information.

According to specialists in network security, some antivirus solutions have detected this Trojan as banker, BankBot, Evo-Gen, Artemis, among other names.

Last January, network security specialists discovered a phishing campaign related to the Anubis Trojan. The specialists discovered two apps in Google Play (a currency converter and energy saving software) loaded with malware ready to be activated as soon as the user interacted with his device.

Finally, the investigators claim that the malware tried to prevent them from resorting to using a sandbox environment using the motion sensor data to detonate their execution.