The New Era of Android Banking Botnets
In the past, mobile malware used to target victims only to harvest SMS messages, which are often used as a 2FA (two-factor authentication) mechanism or as OTP (one-time password). Since late 2015, we have seen attacks which targeted the entire bank app with an overlay type of attack that started a new era in Android banking botnets. This is what we will be detailing and discussing on this presentation. In the past, mobile malware used to target victims only to harvest SMS messages, which are often used as a 2FA (two-factor authentication) mechanism or as OTP (one-time password). Since late 2015, we have seen attacks which targeted the entire bank app with an overlay type of attack that started a new era in Android banking botnets. This is what we will be detailing and discussing on this presentation.
First, we will quickly introduce the audience of past Android malware families that had SMS harvest as a goal. Perkele, Zitmo and iBanking are some examples of those families.
Then, we will focus on modern Android malware evolution in terms of obfuscation, anti-analysis, C&C communication and infection mechanisms. We will also provide insights into some of those modern Android malware botnets including some not yet known to the public. The Android malware families we will be discussing are: Slempo (also known as GMBot and SlemBunk), MazarBot, Catelites, Shifu, Marcher and BankBot (also known as Maza-in).