New Android Banking Trojan "AMEXTROLL" Identified
/ 4 min read
Quick take - Cyble Research Labs has identified a new Android Banking Trojan named “AMEXTROLL,” which has evolved since its initial detection in 2021 and is currently being advertised on underground forums, featuring advanced functionalities for credential theft and device control, while posing significant risks to users through its distribution methods and extensive permission requests.
Fast Facts
- New Malware Identification: Cyble Research Labs has identified a new Android Banking Trojan named “AMEXTROLL,” also known as BRATA, first detected in June 2021 and advertised on underground forums.
- Evolution and Targeting: AMEXTROLL has evolved significantly since its initial distribution, with the last known attack in April 2022 targeting specific Italian banks through modified source code.
- Malicious Capabilities: The malware exploits 27 permissions, including dangerous ones like READ_EXTERNAL_STORAGE, and uses Accessibility Service to monitor user activity, capture screens, and steal credentials.
- Distribution and Evasion Tactics: AMEXTROLL is distributed via phishing sites and can disable Google Play Protect to evade detection, while also executing commands for malicious operations like USSD service calls for money transfers.
- User Protection Recommendations: Users are advised to download apps only from official stores, use reputable security solutions, enable Google Play Protect, and be cautious with app permissions and suspicious links to mitigate infection risks.
New Android Banking Trojan “AMEXTROLL” Identified
Cyble Research Labs (CRL) has identified a new Android Banking Trojan malware named AMEXTROLL. This malware is currently being advertised on underground cybercrime forums. Also known as BRATA, AMEXTROLL was first detected in late June 2021 and has evolved significantly since its initial distribution. The malware was initially spread through smishing and phishing campaigns targeting Italian banks, with the last known attack occurring in April 2022. During this attack, modifications were made to its source code to specifically target certain banking institutions.
Distribution and Capabilities
The Beta version of AMEXTROLL is available for rent at a price of $3,500 per month, with a test APK offered for $300. Threat actors claim that AMEXTROLL is encrypted, obfuscated, and persistent, boasting powerful functionalities that enhance its operational capabilities. The malware is distributed via phishing sites, including:
- hxxps://infoapp[.]pro/bancobpm[.]apk
- hxxps://youapp-conto[.]digital
Masquerading as a security application providing antispam protection, AMEXTROLL requests an extensive array of permissions—27 in total—upon installation. It abuses at least seven of these permissions for malicious purposes, including READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE. Other permissions include READ_SMS, SYSTEM_ALERT_WINDOW, and CALL_PHONE. The application is packed, with many components missing from the manifest file, complicating detection efforts.
Threat Features and Mitigation
AMEXTROLL exploits the Accessibility Service feature, allowing it to monitor user activity in real-time through Virtual Network Computing (VNC). It can capture the victim’s screen, monitor targeted applications for credential theft, and record the victim’s device screen. The malware collects SMS data based on commands from a Command and Control (C&C) server, facilitating various malicious operations.
To evade detection, AMEXTROLL disables Google Play Protect and gathers information about installed applications. It downloads HTML injection pages for targeted apps and creates overlays to steal credentials. Upon receiving commands from the C&C server, it can remove antivirus applications and execute USSD service calls for money transfers without requiring user interaction or internet access.
As banking threats continue to increase in sophistication, AMEXTROLL serves as a notable example of the evolving landscape of mobile malware. To mitigate the risk of infection, users are advised to:
- Download software only from official app stores.
- Utilize reputable antivirus and internet security solutions.
- Implement strong passwords and multi-factor authentication.
- Enable biometric security features.
- Remain cautious with links received via SMS or email.
- Ensure that Google Play Protect is enabled.
- Be careful with app permissions.
- Keep devices and applications updated.
Indicators of infection may include unusual mobile or Wi-Fi data usage, and alerts from antivirus software may also indicate infection. In the event of infection, recommended actions include disabling Wi-Fi/mobile data, removing the SIM card, and performing a factory reset. Users who experience fraudulent transactions should report them to their bank immediately.
This situation highlights the importance of understanding malware tactics, with MITRE ATT&CK® techniques related to AMEXTROLL’s operations including initial access, defense evasion, collection, input capture, exfiltration, and impact. Indicators of compromise (IOCs) for AMEXTROLL include specific SHA256, SHA1, and MD5 hashes of the analyzed APK file, as well as URLs associated with the malware.
Original Source: Read the Full Article Here
