Acecard Trojan: The team anti-malware research from Kaspersky Lab has detected one of the most dangerous Trojan banking for Android devices ever. Acecard malware has the ability to attack approximately 30 online financial applications and services and may bypass the Google Play store security measures.
During the third quarter of 2015, Kaspersky Lab experts detected an unusual increase in the number of banking attacks on mobile devices in Australia. This increase looked suspicious and very soon it was revealed that the main reason for its appearance was a single banking Trojan: Acecard.
Acecard's "family" of the Trojan program uses virtually all the malware features available: from a bank's theft and voice mail, to overlapping official application windows with fake messages that resemble an official login page in an attempt to intercept personal information, and account details. The latest versions of the Acecard family can attack customer applications from around 30 banks and payment systems. Bearing in mind that these Trojan have the ability to overlap every application on command, the total number of attacked financial applications can be much higher.
In addition to banking applications, Acecard can also overwrite the following applications with phising windows:
- Υπηρεσίες άμεσης ανταλλαγής μηνυμάτων: WhatsApp, Viber, Instagram, Skype
- Social Media: VKontakte, Odnoklassniki, Facebook, Twitter
- Gmail
- The mobile devices PayPal app
- Google Play apps and Google Music apps
This malicious software was first detected in February of 2014, but for a long time it showed almost no malicious activity. Everything changed 2015 when Kaspersky Lab researchers detected a sharp increase in attacks: From May to December of 2015, over 6.000 users received attacks from this Trojan. Most of them turned against people living in Russia, Australia, Germany, Austria and France.
During the two-year observation, Kaspersky Lab researchers have witnessed the active development of the Trojan. They recorded more than 10 new versions of malware, each of which had a much larger list of malware than the previous one.
Portable devices were usually "infected" after a malicious application that was presented as legitimate. Acecard versions are usually distributed as Flash Video Player or porn, though sometimes other names are used in an attempt to imitate popular software.
But that's not the only way this particular malware is distributed. On December 28, 2015, Kaspersky Lab experts detected a version of the Acecard downloader Trojan (Trojan-Downloader.Android OS.Acecard.b) in the official Google Play store. For its distribution, the Trojan "hides behind" a game. When the malware is installed from Google Play, the user will only see an icon of it Adobe Flash Player on his desktop and no real indication of the installed app.
By carefully examining the malware code, Kaspersky Lab experts tend to believe that Acecard was created by the same group of digital criminals, who was responsible for the first TOR Trojan for Android devices (Backdoor.AndroidOS.Torec.a) and the first mobile encryptor / ransomware (Trojan-Ransom.AndroidOS.Plethor.a).
The proof for this is based on the similar lines of code (method and class names) and the use of the same C&C (Command and Control) servers. This fact proves that Acecard was created by a strong and experienced group of criminals, probably Russian-speaking.
"This group of cybercriminals uses virtually every available method to disseminate the banking Trojan Acecard. It can be distributed under the guise of another program, via official app stores or through other Trojan. One particular feature of this malware is that it is capable of overlapping more than 30 banking systems and payment systems, as well as social media, instant messaging and other applications. The combination of Acecard's capabilities and propagation methods make this malicious program one of the most dangerous threats to today's users, warns Roman Unuchek, Kaspersky Lab's Senior Malware Analyst in the US.
To avoid "contamination» from this malware, Kaspersky Lab recommends the following:
- Do not download and / or install any applications from Google Play or internal sources if they are unreliable or cannot be considered as such
- Do not visit suspicious websites with specific content and do not click suspicious links
- Install a reliable security solution for mobile devices, such as Kaspersky Internet Security for Android
- Make sure your antivirus databases are up to date and working properly
More information about Acecard Trojan is available on a dedicated blogpost site Securelist.com.
