US regulators order banks to report cyberattacks within 36 hours
Hackers deploy Linux malware, web skimmer on e-commerce servers
Six million Sky routers exposed to takeover attacks for 17 months
Microsoft: Windows Installer breaks apps after updates, repairs
Emotet botnet comeback hatched by ex-Ryuk member now part of Conti gang
New Windows 11 build fixes Microsoft Installer issue breaking apps
Fake TSA PreCheck sites scam US travelers with fake renewals
Microsoft Authenticator gets new enterprise security features
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Android trojan
​The BrazKing Android banking trojan has returned with dynamic banking overlays and a new implementation trick that enables it to operate without requesting risky permissions.
A new malware sample was analyzed by IBM Trusteer researchers who found it outside the Play Store, on sites where people end up after receiving smishing (SMS) messages.
These HTTPS sites warn the prospective victim that they are using an outdated Android version and offer an APK that will allegedly update them to the latest version.
If the user approves “downloads from unknown sources,” the malware is dropped on the device and requests access to the ‘Accessibility Service’.
This permission is abused to capture screenshots and keystrokes without requesting any additional permissions that would risk raising suspicions.
More specifically, the accessibility service is used by BrazKing for the following malicious activity:
Starting on Android 11, Google has categorized the list of installed apps as sensitive information, so any malware that attempts to fetch it is flagged by Play Protect as malicious.
This is a new problem for all banking overlaying trojans that need to determine which bank apps are installed on the infected device to serve matching login screens.
BrazKing no longer uses the ‘getinstalledpackages’ API request as it used to but instead uses the screen dissection feature to view what apps are installed on the infected device.
When it comes to overlaying, BrazKing now does it without the ‘System_Alert_Window’ permission, so it can’t overlay a fake screen on top of the original app as other trojans do.
Instead, it loads the fake screen as an URL from the attacker’s server in a webview window, added from within the accessibility service. This covers the app and all its windows but doesn’t force an exit from it.
When detecting the login to an online bank, instead of displaying built-in overlays, the malware will now connect to the command and control server to receive the correct login overlay to display.
This dynamic overlay system makes it easier for the threat actors to steal credentials for a broader range of banks. Serving the overlays from the attacker’s servers also allows them to update the login screens as necessary to coincide with changes on the legitimate banking apps or sites or add support for new banks.
The new version of BrazKing protects internal resources by applying an XOR operation using a hardcoded key and then also encodes them with Base64.
Analysts can quickly reverse these steps, but they still help the malware go unnoticed when nested in the victim’s device.
If the user attempts to delete the malware, it quickly taps on the ‘Back’ or ‘Home’ buttons to prevent the action.
The same trick is used when the user tries to open an antivirus app, hoping to scan and remove the malware within the security tool.
BrazKing’s evolution shows that malware authors quickly adapt to deliver stealthier versions of their tools as Android’s security tightens up.
The ability to snatch 2FA codes, credentials, and take screenshots without hoarding permissions makes the trojan a lot more potent than it used to be, so be very careful with APK downloads outside the Play Store.
According to the IBM report, BrazKing appears to be operated by local threat groups, as it is circulating on Portuguese-speaking websites.
Flubot Android malware now spreads via fake security updates
New Android malware targets Netflix, Instagram, and Twitter users
Hydra malware targets customers of Germany’s second largest bank
New Android malware steals millions after infecting 10M phones
Emotet malware is back and rebuilding its botnet via TrickBot
Not a member yet? Register Now
Winamp prepares a relaunch, new beta version almost ready
Russian ransomware gangs start collaborating with Chinese hackers
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Twitter removes 3,400 accounts used in govt propaganda campaigns

FBI: Cuba ransomware breached 49 US critical infrastructure orgsResearchers discover 14 new…

US targets DarkSide ransomware, rebrands with $10 million reward

Ukraine links members of Gamaredon hacker group to Russian FSBSamsung Galaxy S21…

Microsoft Exchange ProxyShell exploits used to deploy Babuk ransomware

Ukraine links members of Gamaredon hacker group to Russian FSBSamsung Galaxy S21…

New Dell BIOS updates cause laptops and desktops not to boot

Russian hackers made millions by stealing SEC earning reportsThreat actors steal $80…