MalRhino Android Banking Trojan

The MalRhino Android Banking Trojan is the second threat belonging to an unclassified malware family that was discovered by Check Point Research. While the threat actors took a minimalist approach with their other threatening creations named PixStealer, MalRhino is more in line with typical Android banking Trojans. That doesn't mean that the threat isn't equipped with several novel or rarely seen techniques. The connection between the two threats was made based on similarities in their manifests, logs messages, service and method names, etc. 

MalRhino Analysis

The threat also abuses the Android Accessibility Service to perform its harmful actions. The purpose of the Accessibility Service is to make controlling the device far easier for people with disabilities. Hackers noticed the numerous functions available through it quickly and have been exploiting the service in their malware creations. For example, they can monitor the activities taking place on the device's screen and intercept them. Furthermore, the attackers can simulate clicks and taps as if the user has made them. 

However, the way MalRhino is capable of processing Accessibility Events dynamically is quite interesting. The threat uses JavaScript via Mozilla's Rhino framework. The attackers can then scan the top running application. If it matches one of the targeted applications, the hackers can leverage their remote access to execute specific code. The last time Check Point researchers observed this technique in a malware threat was back in 2016, as part of the Xbot banker malware. 

MalRhino's Attack Chain

The threat is being deployed via fake versions of the Brazilian Inter Bank's iToken application. The package name of the trojanized application is 'com.gnservice.beta, and it could indicate that the threat is still in the early stages of its development. It should be noted that the fake application was available for download from the official Google Play Store.

Once inside the victim's device, MalRhino will display a message asking for Accessibility permissions. To trick the user, the application pretends that it needs permission to function properly. If successful, the Trojan will be able to run targeted applications (mostly bank applications, collect device data, and the list of installed apps and send the acquired information to its Command-and-Control (C&C, C2) server. A more specific, threatening functionality involves retrieving the pin code from the Nubank app. 

The MalRhino threat further showcases the need for caution when granting permissions to the applications on their devices, even if the applications were installed through official store platforms.