Acecard Trojan: Η ομάδα anti-malware research by Kaspersky Lab has identified one of the most dangerous banking Trojans for Android devices ever. The malicious software Acecard has the ability to attack users of around 30 online financial applications and services and can bypass Google Play store security measures.
During the third quarter of 2015, Kaspersky Lab experts identified an unusual increase in the number of mobile banking attacks in Australia. This increase seemed suspicious and it was soon revealed that the main reason for it was a single banking Trojan: Acecard.
Acecard's "family" of the Trojan program uses virtually all the malware features available: from a bank's theft and voice mail, to overlapping official application windows with fake messages that resemble an official login page in an attempt to intercept personal information, and account details. The latest versions of the Acecard family can attack customer applications from around 30 banks and payment systems. Bearing in mind that these Trojan have the ability to overlap every application on command, the total number of attacked financial applications can be much higher.
In addition to banking applications, Acecard can also overwrite the following applications with phising windows:
- Direct messaging services: WhatsApp, Viber, Instagram, Skype
- Social Media: VKontakte, Odnoklassniki, Facebook, Twitter
- Gmail
- The PayPal mobile application
- Google Play apps and Google Music apps
This malicious software was first detected in February of 2014, but for a long time it showed almost no malicious activity. Everything changed 2015 when Kaspersky Lab researchers detected a sharp increase in attacks: From May to December of 2015, over 6.000 users received attacks from this Trojan. Most of them turned against people living in Russia, Australia, Germany, Austria and France.
During the two-year observation, Kaspersky Lab researchers have witnessed the active development of the Trojan. They recorded more than 10 new versions of malware, each of which had a much larger list of malware than the previous one.
Portable devices were usually "infected" after a malicious application that was presented as legitimate. Acecard versions are usually distributed as Flash Video Player or porn, though sometimes other names are used in an attempt to imitate popular software.
But this is not the only way that this malware is distributed. On 28 December 2015, Kaspersky Lab experts identified a version of Acecard downloader Trojan (Trojan-Downloader.Android OS.Acecard.b) at the official Google Play store. For distribution, the Trojan is "hidden behind" by a game. When malware is installed from Google Play, the user will only see one Adobe Flash Player icon on his desktop and no real indication of the installed application.
By carefully examining the malware code, Kaspersky Lab experts tend to believe that Acecard was created by the same group of digital criminals, who was responsible for the first TOR Trojan for Android devices (Backdoor.AndroidOS.Torec.a) and the first mobile encryptor / ransomware (Trojan-Ransom.AndroidOS.Plethor.a).
Η evidence γι' αυτό βασίζεται στις παρόμοιες γραμμές κώδικα (ονόματα μεθόδων και τάξεων) και στη χρήση των ίδιων C&C (Command and Control) server. Το γεγονός αυτό αποδεικνύει ότι το Acecard δημιουργήθηκε από μια ισχυρή και έμπειρη ομάδα εγκληματιών, πιθανότατα ρωσόφωνων.
"This group of cybercriminals uses virtually every available method to disseminate the banking Trojan Acecard. It can be distributed under the guise of another program, via official app stores or through other Trojan. One particular feature of this malware is that it is capable of overlapping more than 30 banking systems and payment systems, as well as social media, instant messaging and other applications. The combination of Acecard's capabilities and propagation methods make this malicious program one of the most dangerous threats to today's users, warns Roman Unuchek, Kaspersky Lab's Senior Malware Analyst in the US.
To prevent "malware" from being infected by this malware, Kaspersky Lab recommends the following:
- Do not download and / or install any applications from Google Play or internal sources if they are unreliable or cannot be considered as such
- Do not visit suspicious websites with specific content and do not click suspicious links
- Install a reliable security solution for mobile devices, such as Kaspersky Internet Security for Android
- Make sure your antivirus databases are up to date and working properly
More information about Acecard Trojan is available on a dedicated blogpost site Securelist.com.
