Aberebot Banking Trojan

A new Banking Trojan strain was analyzed by the researchers at Cyble. Named Aberebot, the threat behavior is consistent with that of other malware of this type. The goal of the attackers is to establish the Aberebot on the victim's Android device, obtain numerous privileges, and then collect sensitive information, mainly banking credentials. The threat is capable of affecting customers of over 140 banks spread across 18 countries. 

As an infection vector, Aberebot mostly likely utilizes phishing campaigns delivered via third-party application platforms. The threat also has been observed to disguise itself as the legitimate Google Chrome application. 

Threatening Capabilities

The weaponized application requests to receive 10 permissions on the device that, if granted, will allow it to perform various threatening actions. Aberebot can collect various information kinds, such as the contacts of the compromised user while intercepting any incoming OTP (One-Time Passwords) received via SMS. To obtain the banking credentials of the victim, Aberebot employs the typical method of displaying a phishing page using WebView on top of the legitimate application page. The different phishing pages are fetched from a GitHub repository, which reduces the overall footprint of the threat drastically. 

Aberebot is capable of abusing the Android Accessibility Service to enable various other permissions for itself. The Accessibility Service also allows the threat to spy on the activity of the user by monitoring the device's screen. The same permission is further exploited to restrict the ability of the user to modify the unsafe application's settings. 

The exact actions performed by Aberebot are controlled via constant communication with a C2 (Command-and-Control) server. The C2 infrastructure is hosted on a Telegram bot account.