Banking trojans are a class of trojans that target financial apps to steal user’s credentials to commit some kind of banking fraud. Different trojans employ different kinds of techniques to trick users into providing their credentials.
Hunting malware has largely been about a specific vendor. Symantec, Lookout and the likes develop different engines capable of detecting malware samples. They do this either by looking up the hash of the file on their database or detonating it in a secure VM and observing the results.
Android & Elastic Beats
Personal devices are ubiquitous. We carry them around everywhere we go and give them unprecedented access to our private/sensitive information. Where we work, live & sleep, etc. Tech giants like Google and Facebook have found ways to aggregate this information and sell it to different companies in search of potential customers. Data collection is a big part of this process. Google with its Android ecosystem is in a unique position to control this flow of data between our devices and its servers. Apple in its part controls the same with its iOS platform. On top of these platforms, third-party developers publish different apps that collect their copy of our private information and accumulate it on their own servers (E.g. Facebook) or send it to Advertising companies. To make matters worse, data broker companies aggregate data from various sources and sell back “enhanced” data to customers looking to advertise their products.
Almost all mobile apps are designed to run natively on our mobile phones without the need to add any virtualization software. The underlining OS handles resources and the necessary infrastructure to run apps securely. In Android, every app is assigned a unique UID upon process initialization providing it an isolated view of the system and protection not to interfere with other apps and data.
Two weeks ago I had a hunch that some Malwares were being distributed through phishing URLs/links. The process involves analyzing phishing feeds from known sources (openphish/phishtank) and loading them up on headless chrome to see if I can find APK/IPA link or official store links that might be affiliated to the attackers.