CyberCrimeSecuritySecurity Management

Catelites Malware Targets Bank Customer Logins

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Sophisticated fake mobile banking app interface for Android will steal your bank login credentials

Thousands of Android customers are at risk from a new variant of the ‘CronBot’ malware that is targetting banking customers.

The new malware, dubbed ‘Catelites Bot’ by Avast Threat Labs and researchers at SfyLabs, is said to be currently targeting customers of over 2,200 banks and financial institutions worldwide.

The malware is essentially a fake mobile banking app interface for the Android platform and its mission is to steal people’s bank account login credentials.

mobile banking apps

Fake Apps

The news of the new Catelites Bot targetting Android users was revealed by Nikolaos Chrysaidos, head of mobile threats and security at Avast, as well as Pham Duy Phuc, mobile malware researcher of SfyLabs.

They pointed out that 20 members of the criminal gang behind the CronBot banking Trojan which managed to steal over $900,000, were arrested in May.

It transpires that this gang hid the Trojan within a host of phony apps, some designed to look like authentic online banking apps, some designed to look like pornography apps.

Unfortunately, their CronBot infected ‘apps’ were installed on one million Android devices, and although the gang were arrested, their malware continues to operating.

“Now, the Avast Threat Labs team have uncovered and analysed with SfyLabs a new version of the malware, dubbed Catelites Bot, which shares similarities with the malware used for CronBot,” said the two researchers. “While we have no hard evidence that the Catelites actor is linked to Cron, it is likely that Cron members have used the Catalites malware in their campaigns based on what we’ve seen so far.”

The researchers said in the past few months, they have seen one or two fake apps per week attacking Android devices to make unsuspecting victims download the malware. Once this malware is downloaded, “the criminals use very sophisticated social engineering tricks to get credit card information and possibly the ability to get into the victim’s bank account.”

The researchers warn that the malware gets “dropped” onto the victim’s device after they download an app from a third-party app store (not official shops such as Google Play) or from malicious adware (malvertisements) or phishing sites. Once dropped onto the Android device, the malicious app looks like the icon seen in the screen below and is titled “System Application.”

If the user clicks the malicious “System Application” app icon, it will ask them for admin rights. If the user grants that permission, the malware begins its work.

Bank Attack

“The icon for the (fake) app you downloaded disappears and then, three familiar-looking, trusted app icons get dropped onto your home screen: one for Gmail, one for Google Play, and one for Chrome,” said the researchers. “The malware author uses two sophisticated ‘social engineering’ techniques to encourage you to open one of these three apps in order to display a fake overlay that invites you to enter sensitive information like your credit card.”

And because the fake apps supposedly from Gmail, Google Play and Chrome are on the home screen, the user is more likely to open them, thereby activating the malware.

“Worse still, this piece of malware can also go after your bank account login details,” the researchers warned. “This malware has the ability to pose as over 2,200 banks and financial institutions. It does so by adopting the logo and mobile application name of a bank used in the Google Play Store, allowing the author to use simple templates to harvest username and password or credit card information.”

“The overlay is HTML-based and not as sophisticated as other Android banking malware such as LokiBot, Red Alert, or Exobot, but the power here is clearly in the shotgun approach: using simple phishing overlay screens, the criminals are able to target many more users, increasing their likelihood of financial gain,” they warned.

Think Twice

Avast advises users to beware of any strange requests for admin rights and always think twice about granting any admin rights request. Also, Android users are advised that if they open their bank app and something doesn’t look right, shut it down.

If users suspect their Android malware on their phone, boot the device in safe mode and remove any suspicious apps.

Of course, it goes without saying that users should also only get their apps from reputable stores such as Google Play.

“Catelites Bot has developed a sophisticated way to target more than 2,200 banks worldwide with fake mobile banking app interfaces,” said Avast’s Nikolaos Chrysaidos. “The malware has the ability to automatically and interactively pull Android banking apps’ logos and names from the Google Play Store.”

Unfortunately, Google Play Store has had many security issues over the years. Indeed, malicious code regularly turns up on Google Play as well, having bypassed security checks.

Last month a new version of a persistent family of banking malware was discovered on Google Play, after at least four previous versions were removed from Google’s official Android app store earlier this year.

The latest variants of the BankBot Trojan posed as flashlight apps, solitaire games or smartphone cleaner software.

Do you know all about security in 2017? Try our quiz!