New malware onslaught on mobile banking revealed

Asacub – a malware that targets Android users for financial gain – has been unleashed in recent weeks after first being discovered last June, reports Kaspersky Lab.

The internet security and anti-virus software specialist adds that when discovered, Asacub displayed all the signs of an information stealing malware. However, some versions of the Trojan target users of online banking in Russia, Ukraine and the US.

“With millions of people using their smartphones worldwide to pay for goods and services, 2015 saw cybercriminals exploit this by focusing their efforts on developing malicious financial programmes for mobile devices,” the group comments.

“For the first time ever, a mobile banking Trojan entered the Top-10 most prevalent malicious programs that target finances. The Asacub Trojan is yet another example of this worrying trend.”

Kaspersy Lab’s anti-malware research team says that the first version of the Asacub Trojan was discovered last June. This malware, capable of stealing the contact details, browser history and a list of installed apps from an infected device, was also able to send short message service (SMS) messages to given numbers blocking the screen of the device – all standard functions for a typical information-stealing Trojan.

However, last autumn the team discovered several new versions of the Asacub Trojan, which had developed into a tool for stealing money. The new version was equipped with phishing pages mimicking log-in pages of banking applications.

Initially, it appeared that Asacub targeted only Russian-speaking users, as the modifications contained fake log-in pages of Russian and Ukrainian banks. However, upon investigation the team found a modification with fake pages of a large US bank.

These versions also contained a new set of functions including call redirection and sending unstructured supplementary service data (USSD) requests – a special service for interactive non-voice and non-SMS communications between the user and cellular provider – making Asacub a powerful tool for financial fraud.

Kaspersky Lab knew of several different versions of the Trojan, but its threat detection systems found little evidence of active Asacub campaigns until the end of 2015. Within just one week, the group identified more than 6,500 attempts to infect users with the malware, making it one of the five most popular mobile Trojans of that week, and the most popular Trojan-Banker.

“When analysing this Trojan, we found that the Asacub malware has connections to criminals with links to a Windows-based spyware called CoreBot,” said Roman Unuchek senior malware analyst at Kaspersky Lab USA

“The domain used by Asacub’s command and control centre is registered to the same person as tens of domains that were used by Corebot. It is therefore highly likely that these two types of malware are being developed or used by the same gang, who see huge value and criminal gain in exploiting mobile banking users.

“Based on current trends, we can assume that in 2016 the development and prevalence of mobile banking malware will continue to grow and account for an even greater share of malware attacks. Users need to be extra vigilant to ensure they don’t become the next victim.”


Related reading