Dissecting Android KorBanker

FireEye recently identified a malicious mobile application that installs a fake banking application capable of stealing user credentials. The top-level app acts as a bogus Google Play application, falsely assuring the user that it is benign.

FireEye Mobile Threat Prevention platform detects this application as Android.KorBanker. This blog post details both the top-level installer as well as the fake banking application embedded inside the top-level app.

The app targets the following banks, all of which are based in Korea.

  • Hana Bank
  • IBK One
  • KB Kookmin Bank
  • NH Bank
  • Woori Bank
  • Shinhan Bank

Once installed, the top-level application presents itself as a Google Play application. It also asks the user for permission to activate itself as a device administrator, which gives KorBanker ultimate control over the device and helps the app stay hidden from the app menu.

The user sees the messages in Figure 1 and Figure 2.

korbanker_1

The message in Figure 2 translates to: “Notification installation file is corrupt error has occurred. Sure you want to delete the corrupted files?”

When the user clicks taps the “Yes’ button, KorBanker hides itself from the user by calling the following Android API:

getPackageManager().setComponentEnabledSetting(new ComponentName("com.pro.www", "com.pro.www.MainActivity"), 2, 1)

The arguments “2” and “1” which are being passed to the above function are explained below.

The 2 argument represents is the value for the COMPONENT_ENABLED_STATE_DISABLED flag, which causes the component to be disabled from the menu of apps.

The 1 argument is the value for the DONT_KILL_APP flag, which indicates that the app should not be killed and continue running in the background.

After installation, the app checks whether any of the six targeted banking applications have been installed. If it finds any, it deletes the legitimate banking application and silently replaces it with a fake version. The fake versions of the banking applications are embedded in the “assets” directory of the top-level APK.

Initial registration protocol

The top-level APK and the embedded fake banking app register themselves with their respective command-and-control (CnC) servers. The following section explains the registration process.

Top-level app

The top-level app registers itself by sending the device ID of the phone to the remote CnC server packed in a JavaScript Object Notation (JSON) object. The data packet excerpt is shown in Figure 3. This is the first packet that is sent out once the app is installed on the device.

korbanker3

Figure 3: KorBanker data packet during registration

The packet capture shown in Figure 3 shows the structure of the registration message. The bytes highlighted in red indicate the CnC message code of 0x07(decimal 7) which translates to the string addUserReq.

Outlined in yellow is length indicator — 0x71(113 bytes)— followed by the JSON object containing the Device ID and the phone number of the device. The values for callSt and smsSt are statically set to 21 and 11, respectively.

The response bytes shown in black containing 0x04 and 0x01 map to the command addUserAck. They are sent by the server to acknowledge the receipt of the previously sent addUserReq. Code inside the application invokes various functions as it receives commands. These functions may exist for future updates of the application.

korbanker4

Figure 4: KorBanker code for sending incoming messages to CnC server

Once the installation of the app has been registered, the app waits for incoming messages on the phone, possibly looking for access codes that arrive as a part of two factor authentication methods for one of the six targeted banks. All incoming messages to the phone are intercepted and sent to the CnC server 180.214.160.70 on port 8888 as shown in Figure 4.

The bytes highlighted in red after the response show the message code of 0x08 (Decimal 8), which translates to the command addSmsReq. This is followed by the size of the message. The Device ID is sent at the end of the data packet to identify the device from which this message was seen with the timestamp. It also suppresses the SMS notifications from the user and deletes the message from the device.

The remote CnC infrastructure is based on numeric codes. These codes are stored in a data structure in the app. All incoming messages and responses from the CnC server arrive in numeric codes and get translated into corresponding strings, which in turn drive the app to perform different tasks.

Table 1 shows the CnC commands supported by the top-level app. All the commands ending with “Req” correspond to the infected client requests made to the CnC server. All the commands ending with “Ack” indicate acknowledgements of the received commands.

korbankertable

Fake banking app 

The fake banking app once installed registers with a CnC server on a different IP address by sending the HTTP request shown below.

korbanker5

Figure 5: Data capture showing the installation of the fake banking app 

Once the phone is registered, the user is presented with the following fake login page of the banking app, which prompts the user for banking account credentials. All these credentials are stored internally in a JSON object. korbanker_6

The user is then prompted for a SCARD code and 35-digit combination, which is recorded into the JSON and sent out to ‘http://180.214.160.70/send_bank.php as follows:

{ "renzheng" : "1234",

"fenli" : "1234",

"datetime" : "2013-08-12 12:32:32",

"phone":'8889991111',

"bankinid": '1234',

"jumin": '1234',

"banknum" : '1234',

"banknumpw" : '1234',

"paypw" : 'test',

"scard" : "1234567890",

"sn1" : "1234",

"sn2" : "1234",

"sn3" : "1234",

....

....

"sn34" : "1234",

"sn35" : "1234"

}

The response received is as follows:

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Connection: close

Content-Type: text/html

Date: Fri, 22 Nov 2013 02:05:00 GMT

Expires: Thu, 19 Nov 1981 08:52:00 GMT

 

Conclusion

This malware sample takes extra measures to obtain banking credentials. With the increased usage of mobile devices and with the liberal permission allotment to apps that appear benign we are now at an increased risk of monetary losses on the mobile front. Mobile banking is not completely void of its adversaries. KorBanker is a vivid reminder of just how dangerous apps from untrusted sources can be.