We Steal SMS: An insight into Android.KorBanker Operations
Twelve months. That is how long we’ve known about the Android.KorBanker malware app. For a year, this app has been operational, attacking unsuspecting users who think they’re simply downloading a banking application when in fact, they’re opening their bank account credentials to a threat actor(s).
We’ve been monitoring the KorBanker malware ever since it was discovered in September 2013, gaining insight by accessing one of the many command-and-control (C2) servers that the malware communicates with. In November 2013, a FireEye Labs blog thoroughly dissected KorBanker. Today’s blog delves deeper into information about the attack vector and the nature of data being targeted by the malicious actor(s) behind this threat.
A Foot in the Door
The C2 server for KorBanker is known to respond back with a HTTP 404 error page, even though the server is up and running. A custom 404 error page leads the average user to believe the server is no longer functional. The current C2 server for the malware is located at 220.127.116.11, while previously it has been known to exist on 18.104.22.168, 103.27.177,106 and 22.214.171.124. These servers are also known to function as malware distribution points in addition to performing C2 operations.
Figure 1 - Misleading 404 from CnC 126.96.36.199
A MySQL database on the C2 server stores exfiltrated data and reveals the extent of data collected by the attacker. Our earlier blog post outlined the functionality and the kind of data collection conducted by the malware. The database seems to accurately reflect that the attacker has successfully collected such data.
Based on timestamps within the database, we determined the data in question spans 55 days and includes more than 10,000 SMS messages from 96 devices. The 96 infected users have collectively received SMS messages from over 3,500 users, a wealth of information in a relatively short period. The attacker runs a much larger operation, which is evident because the malware continues to be present. Its current C2 server appears to be at 188.8.131.52 and has also been known to previously exist on 184.108.40.206. This shows the information on this C2 is only a sliver of the information collected by the attacker.
Most of the infected devices are believed to be in Korea based on the country code of the infected phone numbers.
Figure 2 - Type of contents in sensitive SMS messages
Since SMS messages can potentially contain two factor authentication codes, we see in Figure 2 that the attacker has two factor authentication codes (such as from Google, Facebook, Password Resets) and also has received SMS messages containing passwords to VPN services. Additionally, since SMS messages form the bulk of communication in the APAC region, the attacker can also see other services that rely on SMS such as Location Sharing and Mobile Banking (sending GPS information via text) – which underscores the increased risk of mobile-based threats. Since such information can potentially be used to access corporate networks, mobile malware plays an important role in the newly evolving multi-vector threat landscape.
By looking at information in the FireEye DTI Cloud, we determined that the first instance of this malware was seen in September 2013, which means this campaign has been ongoing for the last 11 months. We have also seen a recent spike in activity for this campaign since August 1st, 2014, with more than 1700 infected devices
Our research shows us real-world evidence that mobile malware can indeed be part of a larger operation through which cyber criminals gather victim’s information. Adding to the already complex threat landscape, it remains to be seen how multi-vector threats, including mobile malware, will evolve in the future.