Mobile financial malware needs little introduction, since 2010 mobile malware is on the rise. The first mobile Trojan launched was ‘Zitmo’ (Zeus-In-The-Mobile. A Mobile version of the most common PC Trojan – ZeuS) which was then followed by many different variants of mobile Trojans with a financial focus such as mToken, Perkele, iBanking, and more.

Nowadays, the majority of mobile Trojans mostly target Android devices using different techniques to gain administration permissions on the victims’ device, steal users TANs (Transaction Authorization Number), intercepting SMS messages containing OTPs, performing credential grabbing, presenting fraudulent content, performing automatic money transfers and more.

The main technique employed by Mobile Banking Trojans, which infect mobile phones and steal passwords and other data when the victim logs onto their online bank account, is by posting its own their own fraudulent content over the actual legitimate application being presented to the user – known as an “Overlay”, which is usually hard-coded into the malicious package.

Yasuo-Bot takes this technique one step further, and dynamically displays fraudulent content “on the fly” by receiving it directly from its Command and Control based on its configuration.

This departure from earlier mobile malware design adds a dimension of flexibility to the malware and its operator, allowing for much greater tailoring and customization ability of the fraudulent content; and a far greater number of targets that the malware can potentially attack without greatly increasing package size.

 

The malware will present itself as one of several legitimate application such as “Google Play” in an attempt to fool the user into granting it administrator privileges:

 

want-admin2

 

Upon the victims’ agreement, the malware will gain a vast array of all-encompassing system permissions. Including, but not limited to:

  • Full internet access
  • Read, write and send SMS messages
  • Change device settings (including device password)
  • Lock and unlock the device
  • Make phone calls
  • Display own content over other applications
  • Access to contacts list, call history, browser history and bookmarks, and device location

 

Once the malware has gained system administrator permissions it will send the Command and Control server a request for a configuration file, along with some general information about the victim. Including:

  • Android OS version
  • Device IMEI
  • Phone number
  • Country information
  • Bot Version

 

comm3

The returned configuration file contains the list of applications targeted for overlay, and is saved locally on the victims device.

 

When the malware detects a targeted application is activated, it will request application-specific fraudulent content from the Command and Control and display it to the user instead of the legitimate application the user activated:

 

overlay-download3

 

Fraudulent content is displayed to the user “on-top” of the legitimate application:

 

overlayed

 

Once typed in by the victim, the entered credentials are sent back to the Command and Control server, along with the “application” they were harvested from:

 

steal3

 

But Yasuo’s bag of tricks doesn’t end there! One variant encountered goes so far as to target several default Android applications which are present on virtually all android devices, alongside its set of targeted banking applications, in an attempt to get to the users credentials:

  • Chrome browser
  • Facebook application
  • Android default settings application
  • Android default phone application
  • Android default SMS application

 

config3

 

When this variant detects a targeted (non-banking) application is activated it will display a prompt to the user, once the user clicks through, it will display a second prompt where the user is asked to “choose his bank”. When the users chooses, he will then be redirected to a Phishing page identical in content and layout to the overlay pages the malware will display upon the activation of a targeted banking application.

 

g-play2

 

To summarize, this new and actively evolving malware brings much greater flexibility and customization ability to its authors and operators, with the ability to target a virtually endless number of legitimate applications and the ability to dish out tailor-made fraudulent content for each application without greatly increasing the size of the malware package.

F5 SOC will continue to investigate and monitor this new and emerging threat, and report on any new variants or new functionality encountered.

To download the full Mobile Malware Analysis Report please click here.

Known Yasuo-Bot samples (MD5):

ab9032ed5625667068a96119ddca8288, 8be9f7867e9e32e996629b5a6c11b16c, 39526ecbe6c6186a3d0b290afa2f3764, e68826f3e2d5f5b1e3e31ab5b04331cb