According to the company’s blog, the trojan’s main targets are users of the Android OS. The trojan is distributed in the form of an Android app, which is used to steal money from users’ accounts.
The malware is a modification of the previously known trojan called Android.Bankosy.1.origin. This trojan is capable of stealing confidential information, including SMS messages, contacts, and call logs. It can also record audio via the microphone, and take pictures via the camera. The trojan can also send SMS messages to other people.
The main purpose of the malware is to steal money from the victim’s account. It may also be used to send SMS messages to premium-rate phone numbers.
When installed, they allow the actors to perform many malicious actions such as:
They can steal personal information, such as:
They can access the phone’s content.
They can access the phone’s camera.
They can make calls to premium numbers.
They can send SMS messages to premium numbers.
They can access the phone’s contacts list.
They can access the phone’s location.
They can access the phone’s microphone.
They can upload files to the Internet.
They can download files from the Internet.
They can upload files from the Internet.
They can download files from the Internet.
They can access the phone’s storage.
They can access the phone’s system settings.
They can access the phone’s system logs.
They can install additional apps.
They can change the phone’s settings.
They can uninstall apps.
They can change the phone’s screen lock.
They can change the phone’s password.
They can change the phone’s screen unlock.
They can change the phone’s fingerprint.
They can send fake SMS messages.
They can change the phone’s ringtone.
They can change the phone’s wallpaper.
They can change the phone’s language.
They can change
An interesting feature of this banking malware is that it employs the following trick to avoid being detected by the system:
When the malware is launched, it will immediately check if the system is running in a virtual machine, and if the answer is affirmative, it will exit. This is done by means of the command:
sysinfo
If the malware is executed in a virtual machine, the output of the command will be as follows:
Otherwise, the output would be something like:
If the output of the command is the second one, the malware will exit.
A similar feature was implemented by theĀ Zeus banking trojan .
The malware will also check if the following files exist on the system:
If any of the following files are found, the malware will exit:
The malware will also check if the following services are running:
If any of the following services are found to be running, the malware will exit:
The malware will also check if it is running in a virtual machine and if the following files exist on the system:
If any of the following files are found on the system, the malware will exit:
The malware will also check if the following services are running:
If any of the following services are found to be They log keystrokes and steal information from the clipboard. They may also download files from FTP servers and email them to the attackers.
Trojan-Spy.Win32.Zbot.gen is a trojan horse that steals logins and passwords from accounts of online banking systems. It logs keystrokes and steals information from the clipboard. It may also download files from FTP servers and email them to the attackers.
