Android devices have recently become a target of a morphed banking malware that seems to have found a way to exploit accessibility features on Android smartphones and tablets with the intentions to steal user credentials from European banking applications. The malicious campaign has been spotted to be active since May this year.
Earlier in January, a virus created to target various financial targets with the aim of stealing money from unsuspecting victims, named Oscorp, was unveiled by Italy’s CERT-AGID. In addition to its wide array of capabilities, the malware has been reported to have the capability to intercept SMS messages and initiate phone calls, and performs overlay attacks that steal data from more than 150 mobile apps by mimicking their login screens.
Malicious SMS messages were used to spread the Oscorp malware and most of the attacks were performed in real-time, using the tactic of impersonating a bank to trick targets and then obtain unauthorized access to the infected device by means of WebRTC.
After a short period of inactivity, researchers have seen indications that Oscorp may have returned on the stage under an Android botnet known as UBEL.
Italian cybersecurity firm Cleafy discovered that numerous features connect Oscorp and UBEL to the same malicious coding, based on comparison of their samples. Moreover, the source-code of the project seems to be shared across many threat actors. This discovery is indicating that the malware might have been simply rebranded.
According to the study, banking and other applications targeted by Oscorp are found all over the world, with some of the targets being in Spain, Poland, Germany, Turkey, Italy, France, the United States, Japan, Australia, and India.
The rebranded version which goes under the name of UBEL is found being sold on underground forums for $980. Once the malware is delivered to the device, it tries to set itself up as a service and conceal its existence from the victim, ensuring long-term persistence.
Similarly to Oscorp, UBEL tries to gain permissions on reading and sending SMS messages, recording audio from the device, installing and deleting applications, launching itself automatically and abusing accessibility services on Android to collect sensitive data such as two-factor authentication code and login credentials. A remote server connected to the internet then is used to exfiltrate the collected data.