Acecard: Mobile Banking’s Newest Threat

Share Button

Reports from around the world have been detailing data theft from banking and messaging mobile apps, including Whatsapp, Facebook and SMS services over the last few months.[1] These attacks are especially complex in the way they take advantage of unsuspecting users, which includes stealing sensitive data, intercepting messages and taking over users’ personal accounts.[2]

Although there are multiple reports from renowned entities within the banking, security and media sectors, there is a shortage of details that prevents users from fully understanding the magnitude of this increasingly troubling situation. Our goal is to shed light on the matter and remediate this.

What Is Acecard?

Acecard is a malicious mobile app (also known as malware) that affects devices equipped with Android 5.1 (Lollipop)[5] or lower, regardless if they are rooted or not.[6] This app is extremely hard to uninstall and its main objectives are stealing other apps’ access credentials, such as online banking credentials, and intercepting the device’s messaging traffic.

Even in spite of its operational complexity, this app has received several updates to evade the security measures Google Play Store currently has in place. The app’s nefarious notoriety and effectiveness lies in the exploitation of three highly vulnerable points:

  • Users’ basic disregard for the permissions they grant when installing a new app (most of the time users don’t read messages describing the permissions that apps request.)
  • Mask codes: These are hidden code blocks which seem normal until they are inspected more closely.
  • Vulnerabilities in the development API that allow a third party to monitor and modify other apps installed on the device.

When launching attacks, cybercriminals leverage three major aspects of the malware: app overlapping, device monitoring and a terribly difficult process to uninstall.

How Did This Happen to Me?

Acecard

Regardless of the smartphone model, unknowingly installing certain applications can expose users to malicious code, which has quite a bit of history according to Kaspersky Lab.[3] When the app is being installed on the user’s phone, it requests administrative permissions supposedly needed by Adobe Flash Player.

Acecard

Once installed, the app’s icon disappears from sight, perhaps as a mechanism to prevent uninstalling it, and if users try to uninstall the app through other means, the option will simply not be available. Some users even attempt to disable the administrative permissions originally granted to the app, but this only makes the problem worse. In this case, the app would incessantly display a warning message asking the user to reinstate said permissions, rendering the phone almost useless.

Note: If for some unfortunate reason you have installed this app, just follow the steps below to uninstall it:

1.      Install  ADB[4]
2.      Deactivate administrative permissions for Acecard.  Acecard
3.      Wait for an Acecard pop-up window.  Acecard
4.      Run the following command: adb uninstall org.silsec.ggmng

 

 

 

App Overlapping

One of Acecard’s most infamous features is the ability to display windows and boxes that simulate the normal behavior of legitimate apps (overlapping). Acecard does not close, replace or modify the original app in any way (due to the API’s limitations); instead, it acts as a thief lurking in the shadows, ready to impersonate a banking customer.

The process of app overlapping goes like this:

Acecard

  1. The user has several apps on their device. One of them has embedded malware.
  2. The user opens a legitimate app included in the malware’s target list.
  3. The app starts normally and prepares to display its home screen, including forms and other details.
  4. The malware detects this process and intercepts it with its own home screen, which looks exactly like the original one.[7]
  5. The fake window requests sensitive user information. Once the user has entered it, normal operation is resumed without the users ever knowing that they just provided valuable information to a criminal app.

When studying Acecard’s behavior and inner workings, we noticed that Banco Santander’s app was included in its list of target apps. The diagram below shows the previously-described process using Banco Santander’s app as example:

Acecard

The following is Acecard’s list of target apps:

  • Play Store
  • Novo Banco S.A
  • BBVA
  • Citibank
  • Hang Seng Bank
  • Standard Chartered Bank
  • Bank of China
  • PayPal Mobile 
  • ANZ goMoney New Zealand
  • BNZ Mobile
  • Westpac One Mobile Banking
  • Kiwibank Mobile Banking
  • ANZ goMoney New Zealand
  • Google Play Music
  • Whatsapp
  • Instagram
  • Skype
  • Gmail
  • CommBank
  • NAB
  • Westpac Mobile Banking
  • George Mobile Banking
  • Viber
  • Santander Bank

As you can see, most of these apps come from renowned banking and messaging services based in the United States, Europe and Asia. Here is where mask codes make their entrance and fly under the radar of Google experts: Acecard features a service in charge of monitoring all device processes and filters them according to a well-defined hidden app list thanks to 64-base encoding,[8] as seen here:

Acecard

The decoded values correspond to the names of app packages and some operating system services:

Acecard

Monitoring

Some analysts have concluded that Acecard is in fact the evolution of a Trojan known as Backdoor.AndroidOS.Torec.a,[9] since these two malicious pieces of software share the same monitoring features in terms of user-activity, SMS, USSD requests,[10] device information, GPS data, etc.

All this information is stolen (aside from the transactional information stolen via app overlapping) thanks to user-granted permissions related to:

  • Network connections
  • SMS reading
  • Account managing
  • App-controlled device administration

Acecard

These types of permissions allow malware to gain control through commands (C&C)[11] display onscreen notifications and receive instructions via hidden internet services, usually Deep Web servers (TOR).[12]

How Can You Protect Yourself?

The only solution for users who have installed this malware is to reset factory settings, but this means losing all personal information on the device. Even though Google Play Store has already identified the app where Acecad is contained and is currently alerting users, it is also important to consider the very real possibility that Acecard is contained in other apps.

For this reason, additional security measures should be taken, including always checking the permissions granted to new apps, being vigilant about strange or suspicious behaviors on smartphones (pop-up windows requesting permissions, apps installing without consent, icons not acting normally, etc.), and verifying that there is only one window for entering sensitive information.

It is also recommended to immediately report any doubtful behavior encountered to Google Play Store so it can be properly evaluated. These simple measures can help a great deal in the prevention of electronic fraud that is now so common on mobile devices.

In this new era of information and communications, fraud will relentlessly continue to evolve to take advantage of our good faith and bank accounts.

 

[1] http://www.eltiempo.com/tecnosfera/novedades-tecnologia/descubren-uno-de-los-virus-mas-peligrosos-vistos-en-android/16519291

[2] http://news.softpedia.com/news/new-android-malware-combines-ransomware-with-a-banking-trojan-500629.shtml

[3] http://media.kaspersky.com/en/Infographics_Acecard_Timeline.png

[4] http://www.howtogeek.com/125769/how-to-install-and-use-abd-the-android-debug-bridge-utility/

[5] http://developer.android.com/intl/es/about/dashboards/index.html

[6] https://en.wikipedia.org/wiki/Rooting_(Android_OS)

[7] Overlapping happens almost instantaneously, although its execution times are directly affected by the device’s available resources.

[8] https://en.wikipedia.org/wiki/Base64

[9] https://securelist.com/blog/incidents/58528/the-first-tor-trojan-for-android/

[10] https://es.wikipedia.org/wiki/USSD

[11] http://www.pcworld.com/article/2045183/cybercriminals-increasingly-use-the-tor-network-to-control-their-botnets-researchers-say.html

https://en.wikipedia.org/wiki/Command_and_control_(malware)

[12] https://es.wikipedia.org/wiki/Internet_profunda

Leave a Reply

Your email address will not be published. Required fields are marked *