We’ve found a brand new scheme of distribution of the Mamont (Russian for mammoth) Trojan banker. Scammers promise to ship a sure product at wholesale costs that could be thought of fascinating to small companies in addition to personal consumers, and provide to put in an Android software to trace the bundle. Nonetheless, as a substitute of a monitoring utility, the sufferer installs a Trojan that may steal banking credentials, push notifications, and different monetary info.
Scheme particulars
The attackers declare to promote numerous merchandise at pretty enticing costs through variety of web sites. To make a purchase order, the sufferer is requested to affix a non-public Telegram messenger chat, the place directions for putting an order are posted. In essence, these directions boil right down to the truth that the sufferer wants to put in writing a non-public message to the supervisor. The channel itself exists to make the scheme look extra convincing: members of this chat ask clarifying questions, obtain solutions, and touch upon issues. In all probability, there are each different victims of the identical scheme and bots that create the looks of energetic buying and selling on this chat.
The scheme is made extra credible by the truth that the scammers don’t require any prepayment — the sufferer will get the impression that they’re not risking something by putting an order. However a while after speaking to the supervisor and putting an order, the sufferer receives a message that the order has been despatched, and its supply will be tracked utilizing a particular software. A hyperlink to the .apk file and the monitoring variety of the cargo are included. The message moreover emphasizes that to pay for the order after receiving it, you have to enter a monitoring quantity and wait whereas the order is loading (which may take greater than half-hour).
The hyperlink results in a malicious website that provides to obtain a tracker for the despatched parcel. The truth is, it’s not a tracker, however the Mamont banking malware for Android. When put in, the “tracker” requests permission to function within the background, in addition to work with push notifications, SMS and calls. The sufferer is required to enter a code, supposedly for monitoring the parcel, and wait.
What is that this malware and why is it harmful?
The truth is, after the sufferer enters the obtained “observe code”, which is outwardly used because the sufferer’s identifier, the Trojan begins to intercept all push notifications obtained by the system (for instance, affirmation codes for banking transactions) and ahead them to the attackers’ server. On the identical time, Mamont establishes a reference to the attackers’ server and waits for extra instructions. Upon command, it might:
- change the appliance icon to a clear one to cover it from the sufferer;
- ahead all incoming SMS messages of the final three days to the attackers;
- open an interface for importing a photograph from the telephone’s gallery to the attackers’ server;
- ship an SMS to an arbitrary quantity.
As well as, the attackers can present the sufferer arbitrary textual content with packing containers for coming into further info — this fashion they will manipulate the sufferer to submit further credentials, or just gather extra info for additional assaults utilizing social engineering (for instance, for threatening letters from regulators or legislation enforcement businesses). They most likely steal pictures from the gallery for a similar function. That is particularly harmful if the sufferer is a small enterprise proprietor: they usually use their telephone digital camera to shortly take pictures of enterprise info.
Our safety options detect the malware distributed throughout this assault as Trojan-Banker.AndroidOS.Mamont.*. A extra detailed technical description of the malware, in addition to indicators of compromise, will be discovered within the devoted Securelist weblog submit.
Targets of this scheme
This marketing campaign is aimed solely at Russia-based customers of Android smartphones. The attackers emphasize this and refuse to “ship items” anyplace else. Nonetheless, cybercriminals’ instruments usually turn into freely obtainable on the darknet, so it’s unattainable to ensure that customers from different nations are resistant to this menace.
Learn how to keep protected
We advocate following easy security guidelines to keep away from infecting your smartphone with this (or some other) malware. That is very true if the telephone is used not just for private wants, but in addition for enterprise. Listed here are these easy security guidelines:
- be skeptical of especially-favorable affords of products and providers on the web (if the value is considerably decrease than the standard market value it means the vendor’s benefiting in another means);
- don’t run .apk recordsdata obtained from unknown sources – they need to be put in from official shops or from the official useful resource of a particular service;
- use a dependable safety answer, which is able to forestall malware from being put in in your system and block malicious hyperlinks.
