The convenient and time-saving nature of mobile banking continues to make mobile devices an attractive target for cybercriminals. With more users relying on mobile banking for personal finance management, banks are enhancing their experience by incorporating features such as budgeting tools, AI-driven spending analysis, and instant loan approvals. (Source). As these apps become more embedded in users’ day-to-day activities, we can expect to observe sustained and increasingly sophisticated campaigns targeting mobile banking users.

This blog post mainly focuses on banking malware targeting Android devices. With several sources stating that Android constitutes up to 70% of the mobile market share worldwide, it is understandable why threat actors are crafting intricate campaigns targeting these devices and tricking users by posing as legitimate-looking apps to gain further permissions and steal sensitive data (Source). Specifically, six recent campaigns will be summarised, with each demonstrating the continued evolution of this threat. This includes the use of a Near Field Communication (NFC) traffic analysis tool to capture NFC data, as was seen in the NGate malware campaign, the wiping of devices post-attack in the BingoMod RAT campaign, the use of a custom virtual keyboard by BlankBot, the bypassing of Android 13+ restrictions by Chameleon, the targeting of cryptocurrency mnemonic phrases by SpyAgent, or the well-organised, sophisticated nature of the recent Gigabud campaigns.

NGate

Between November 2023 and March 2024, a malicious campaign, dubbed NGate, targeted customers of three major Czech banks, exploiting NFC technology to steal sensitive payment card data. The attack started with phishing campaigns that involved deceptive SMS messages and automated calls informing victims that their accounts were involved in a security incident. They were asked to download a mobile app to verify their existing payment card data and PIN. Once installed, the app, which was disguised as a legitimate banking app, downloaded an open-source tool called NFCGate, that relayed NFC data from victims’ Android devices to the attacker’s device. The stolen data was saved as a virtual card, allowing attackers to emulate the stolen cards and conduct unauthorised transactions on ATMs that use NFC to withdraw cash. NGate did not require the devices to be rooted, which according to ESET researchers who first identified this campaign, made it more accessible and dangerous. Six distinct NGate apps targeting bank customers were identified before the campaign was halted following the arrest of the perpetrator in March 2024. The number of affected individuals remains unknown. According to the researchers, the use of NFCGate to relay NFC traffic is a novel technique, not seen in any previous Android malware. (Source)

BingoMod RAT

In May 2024, Cleafy researchers discovered a new Android remote access trojan (RAT) targeting English, Italian, and Romanian-speaking users through smishing campaigns, disguised as legitimate security tools like AVG AntiVirus and WebSecurity. Once installed, the malware requests access to Accessibility Services, granting it extensive control over the targeted device. It can perform keylogging, SMS interception, and initiate fraudulent money transfers directly from compromised devices, bypassing anti-fraud systems that rely on identity verification and authentication. The RAT uses Android’s Media Projection API to capture real-time screen content, allowing remote control via a command-and-control infrastructure, with around 40 remote functions observed. The malware can also perform manual overlay attacks via fake notifications that can lead to further credential theft and authorised transactions. It was seen stealing up to €15,000 per transfer. After completing successful fraud, the malware wipes the device to hinder forensic analysis, which, according to the researchers, is a rare technique observed in campaigns targeting Android devices. Although the attacks’ scalability is limited by the need for a live operator, the RAT is still in the early stage of development and has the potential for further evolution. (Source)

BlankBot

In July 2024, Intel471 researchers uncovered a new Android banking trojan called BlankBot, primarily targeting Turkish users. BlankBot impersonates utility apps and abuses Accessibility Services to gain full control of infected devices, logging all activity, including SMS texts and sensitive information. Its features include custom injections to steal banking data, keylogging, and screen recording via Android’s MediaProjection and MediaRecorder APIs. A unique characteristic of BlankBot is its employment of a custom virtual keyboard, implemented using the ‘InputMethodService’ class, to intercept keystrokes. The trojan uses WebSocket to communicate with a control server and blocks access to settings and antivirus apps once it confirms it is installed on a legitimate device. BlankBot is still under development, with code obfuscation and junk code observed in recent samples, most likely to hinder reverse engineering efforts. (Source)

Chameleon

In July 2024, ThreatFabric researchers identified new campaigns involving the Chameleon Android banking trojan, originally discovered in December 2022. These campaigns targeted Canadian hospitality workers, particularly employees of a large international restaurant chain, using a CRM app as a disguise. The malware also targeted regions in Europe. All analysed samples of the trojan were distributed via a multi-stage approach and involved a dropper that bypasses Android 13+ restrictions. After installation, the dropper displays a fake CRM login page, requesting employee credentials and displaying a message asking the victim to reinstall the app. Once the user follows the prompt, the Chameleon payload is installed, collecting sensitive data in the background by abusing Accessibility Services. According to the researchers, the capability to bypass Android 13+ Accessibility Services restrictions has become a critical feature for modern banking trojans. (Source)

SpyAgent

Earlier this month, McAfee researchers reported on campaigns delivering a new Android mobile malware named SpyAgent. First instances of this variant were observed in January 2024. The attacks begin with phishing campaigns that are conducted through text messages and direct messages on social media, and redirect users to websites where they are lured into downloading a seemingly legitimate app. These apps masquerade as legitimate banking, government services, utilities or TV streaming apps. Once installed, victims are asked to grant the app permissions to access sensitive data including SMS messages, contact lists and storage. Based on McAfee’s investigation, it seems the primary focus of SpyAgent is to steal cryptocurrency wallet mnemonic keys, indicating its ultimate motive is to steal victims’ cryptocurrency wallet funds. The malware also uses endless loading screens, unexpected redirects and blank screens to distract its victims while it steals data in the background. Over 280 fake apps have been detected in Korea since early 2024, with recent campaigns targeting users in the UK. The researchers also found evidence that the perpetrators are working on an iOS variant of SpyAgent. (Source)

Gigabud

Researchers at Zimperium recently reported on a newly identified link between Gigabud and Spynote, two Android trojans designed to steal sensitive data from victims. Their report follows past research by Cyble, who identified an increase in Gigabud activity and additional connections between Gigabud and the Golddigger Android banking trojan. Group-IB previously found links between Gigabud and a new sophisticated iOS banking trojan named GoldPickaxe.  All three malware have been attributed to a single threat actor, dubbed GoldFactory, which has been active mainly in the Asia-Pacific region and is believed to be a Chinese-speaking cybercrime group. Gigabud’s similarities with numerous Android banking malware variants, as well as iOS banking malware, indicate not only the threat actor’s high level of sophistication, but also serve as a prime example of the potential that threat actors operating within the banking malware sphere can have. The variants were observed being distributed via phishing campaigns impersonating airline apps, banking apps, or government tax entities. Targets included users in Thailand, Vietnam, Bangladesh, Indonesia, Mexico, South Africa and Ethiopia.  (Source 1, Source 2, Source 3)

Takeaways

These campaigns demonstrate the continually evolving and changing nature of threats targeting mobile banking devices. Despite varying levels of technical sophistication, resource availability and primary targets, they each contribute to the ever-changing threat landscape banking organisations are faced with. From NGate’s abuse of NFC technology to SpyAgent’s use of various distraction methods, threat actors are constantly adapting their techniques to trick users, bypass security measures and steal sensitive financial data. As these threats continue to emerge and evolve, harnessing open-source intelligence (OSINT) plays a key role in understanding new malware trends, identifying threat actor tactics and capabilities, and developing strategies to safeguard banking customers. Furthermore, OSINT can aid businesses in gaining global awareness of banking malware trends. BingoMod, Chameleon, SpyAgent and Gigabud have targeted users across various countries, while the techniques leveraged by BlankBot or NGate may easily be replicated and adapted to target users across different regions.

To learn more about how Silobreaker can help in monitoring new and emerging campaigns please get in touch here.