Acecard

Acecard is a family of mobile banking Trojans that displayed a remarkable rate of evolution in a relatively short period following its first discovery. The rapid development may be explained by the fact that the hackers behind Acecard had already been involved with two previous mobile malware threats - Backdoor.AndroidOS.Torec.a, the first TOR Trojan for Android and Trojan-Ransom.AndroidOS.Pletor.a, the first ransomware for mobile devices. The evidence that all threats were spawned from the same group of hackers can be found in the significant code overlap, as well as the identical class, method and variable names. All three threats target Android devices.

During its activity, Acecard changed almost all of its characteristics. The Trojan began as a credentials collector from various social media applications but evolved to include banking applications from numerous countries. At the same time, the geolocation of the targeted users diverged drastically, with the four countries most impacted by the threat being Russia, Australia, Germany and France. For a certain period, the U.S. was the third most affected country.

Expanding a Set of Threatening Commands

In the early days of the Acecard family, the threat had a fake overlay window for just the Google Play store and could handle only four commands received from the Command-and-Control (C&C, C2) server:

• Initiate SMS interception
• Stop SMS interception
• Send an SMS to a determined number provided by the C&C server
• Change the control number for the compromised device

In the very next iteration, however, the criminals had already expanded the array of available commands to 15, including collecting SMS messages, grabbing a list of the installed applications, and exfiltrating the device's coordinates. Other major changes were the use of the TOR network for communication with the C&C, and a significant increase of the phishing windows that could now overlay the WhatsApp, Viber, Instagram, Skype, VKontakte, Odnoklassniki, Facebook, Gmail and the Twitter application.

Then, the hackers moved their attention to Australia by including a phishing overlay for the most popular bank in the country. At the same time, the TOR network was no longer used for C&C communication. In a version detected just two days later, Acecard was now capable of collecting credentials from four Australian banks. This version also so for the first time in the inclusion of a geo-restriction mechanism introduced in the threat family. Acecard checked the country code and the service provider code of the infected device, and if they matched Russia, the malware terminated its execution.

After a couple of months of lower activity, the hackers were back at it again with a new version that had been equipped with a fake PayPal login overlay. It also had a new command added that, when invoked, would reset the victim's device to factory settings. The next version of Acecard showed the interest of the hackers into expanding their reach by including phishing windows for four New Zealand and three German banks. At that point, Acecard had fake overlays for 20 different applications, 13 of which were banks. That, however, was not enough for the criminals, and they cranked the development of the threat into overdrive - in several subsequent Acecard versions, overlays for more banks in Australia were added, as well as new targets from Honk Kong, Austria, the three biggest banks in the U.S., three Singaporean banks and finally, one Spanish bank. New functionalities were also introduced, such as the threat's ability to transfer inbound emails from specific banks directly to the criminals. Later, that ability was refined, and instead of the entire SMS, Acecard now only forwarded any verification or registration codes.

Acecard Posed as Popular Applications for Propagation

To trick users into installing the Acecard treat, the hackers used nearly all known methods. They distributed the malware under the guise of a Flash Player or porn video, pretended to be other useful or popular applications and even employed a dropper Trojan. This dropper posed as a game application, but almost no effort went into creating a more believable disguise. In fact, immediately after installation, it would simply create an Adobe Flash icon on the infected device. The dropper Trojan still managed to bypass the security measures of the official Google Play Store and was available for download before being taken down.

Another version of the dropper Trojan was equipped with vulnerability exploitation abilities. As a result, it could escalate its privileges to the super-user level and subsequently deliver the Acecard malware payload to the system folder directly and prevent it from being deleted by the affected user.