fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Android Malware BrazKing Returns as a Stealthier Banking Trojan

Android Malware BrazKing Returns as a Stealthier Banking Trojan

​The BrazKing Android banking trojan has returned with dynamic banking overlays and a new implementation trick that enables it to operate without requesting risky permissions.

A new malware sample was analyzed by IBM Trusteer researchers who found it outside the Play Store, on sites where people end up after receiving smishing (SMS) messages.

These HTTPS sites warn the prospective victim that they are using an outdated Android version and offer an APK that will allegedly update them to the latest version.

Also Read: 5 Brief Concepts Between Data Protection Directive vs GDPR

Warning message urging users to click
Warning message urging users to click
Source: IBM

Only asking for a single permission

If the user approves “downloads from unknown sources,” the malware is dropped on the device and requests access to the ‘Accessibility Service’.

This permission is abused to capture screenshots and keystrokes without requesting any additional permissions that would risk raising suspicions.

More specifically, the accessibility service is used by BrazKing for the following malicious activity:

  • Dissect the screen programmatically instead of taking screenshots in picture format. This can be done programmatically but on a non-rooted device that would require the explicit approval of the user.
  • Keylogger capabilities by reading the views on the screen.
  • RAT capabilities—BrazKing can manipulate the target banking application by tapping buttons or keying text in.
  • Read SMS without the ‘android.permission.READ_SMS’ permission by reading text messages that appear on the screen. This can give actors access to 2FA codes.
  • Read contact lists without ‘android.permission.READ_CONTACTS’ permission by reading the contacts on the “Contacts” screen.

Starting on Android 11, Google has categorized the list of installed apps as sensitive information, so any malware that attempts to fetch it is flagged by Play Protect as malicious.

This is a new problem for all banking overlaying trojans that need to determine which bank apps are installed on the infected device to serve matching login screens.

BrazKing no longer uses the ‘getinstalledpackages’ API request as it used to but instead uses the screen dissection feature to view what apps are installed on the infected device.

When it comes to overlaying, BrazKing now does it without the ‘System_Alert_Window’ permission, so it can’t overlay a fake screen on top of the original app as other trojans do.

Instead, it loads the fake screen as an URL from the attacker’s server in a webview window, added from within the accessibility service. This covers the app and all its windows but doesn’t force an exit from it.

Also Read: Top 10 Best Freelance Testing Websites That Will Pay You

Overlaying through the Accessibility service
Overlaying through the Accessibility service
Source: IBM

When detecting the login to an online bank, instead of displaying built-in overlays, the malware will now connect to the command and control server to receive the correct login overlay to display.

This dynamic overlay system makes it easier for the threat actors to steal credentials for a broader range of banks. Serving the overlays from the attacker’s servers also allows them to update the login screens as necessary to coincide with changes on the legitimate banking apps or sites or add support for new banks.

Obfuscation and resistance to deletion

The new version of BrazKing protects internal resources by applying an XOR operation using a hardcoded key and then also encodes them with Base64.

Analysts can quickly reverse these steps, but they still help the malware go unnoticed when nested in the victim’s device.

Obfuscation BrazKing strings
Obfuscation BrazKing strings
Source: IBM

If the user attempts to delete the malware, it quickly taps on the ‘Back’ or ‘Home’ buttons to prevent the action.

The same trick is used when the user tries to open an antivirus app, hoping to scan and remove the malware within the security tool.

BrazKing’s evolution shows that malware authors quickly adapt to deliver stealthier versions of their tools as Android’s security tightens up.

The ability to snatch 2FA codes, credentials, and take screenshots without hoarding permissions makes the trojan a lot more potent than it used to be, so be very careful with APK downloads outside the Play Store.

According to the IBM report, BrazKing appears to be operated by local threat groups, as it is circulating on Portuguese-speaking websites.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us