SlemBunk slamdunk: Mobile banking Trojans found worldwide

Malware masquerading as 33 real bank apps

Cybercrooks have put together a dynasty of Android Trojan apps in a bid to imitate the legitimate apps of 33 financial management institutions across the globe.

The SlemBunk apps (which commonly masquerade as popular applications, such as social media, utility, etc) have spread across three major continents: North America, Europe, and Asia Pacific, according to security researchers at FireEye.

Once installed, these apps have the ability to phish for and harvest authentication credentials when specified banking and other similar apps are launched. Moreover, attacks based on the malware are active and ongoing, FireEye warns.

SlemBunk has not been sighted on the Google Play Android store. It therefore seems that users are getting infected with the mobile malware by either sideloading it, or downloading it from a malicious website.

The latest SlemBunk apps were distributed via porn websites. Users who visit these sites are incessantly prompted to download an Adobe Flash update to view smut, and in doing so downloads the malware.

This is, of course, long been a favourite malware distribution tactic.

FireEye’s investigation of SlemBunk has identified more than 170 samples with various features and characteristics including the ability to persistently infect compromised devices (persistence) and the ability to receive and executing remote commands.

Highly customised login UI (user interface) to mimic a variety of high profile banks, and the ability to snaffle login credentials and device information, come as standard across the mobile cybercrime utility’s extended family.

The number of devices affected by the mobile malware – much less who is behind the attack or how much they might have made – remains unclear.

A blog post by FireEye does however provide a good technical and general description of the sophisticated nasty. ®

Biting the hand that feeds IT © 1998–2021