Bizarro Banking Trojan

A new sophisticated Android banking Trojan is being leveraged against users in Europe and South America. The threat was named Bizarro and belongs to the group of Brazilian banking Trojans. Instead of operating locally as its usually the case, Bizarro was unleashed globally with a higher focus on users located in Argentina, Chile, Germany, France, Italy, Spain and Portugal. 

The goal of the threat actor is to obtain online banking credentials from the compromised Android devices, as well as hijack Bitcoin wallets. Over 70 banks are being targeted by the Bizarro Banking Trojan. It spreads itself through Microsoft Installer packages that are either delivered via links in spam emails or dropped by weaponized applications. 

Once Bizarro has been delivered to the user's Android device, it will proceed to kill all currently active browser processes. The goal is to stop any potential sessions with banking websites that might be running at the moment. The victim will then be forced to input their banking credentials all over again but this time the malware will try to harvest information. To increase its chances of success, Bizarro takes the additional steps of disabling autocomplete and generating fake pop-ups to intercept any two-factor authentication codes. The banking Trojan also comes with screen-capturing capabilities. The most threatening aspect and what sets Bizarro apart from most of the other banking Trojans is its fully-fledged backdoor module. 

A Powerful Backdoor Functionality

Bizarro's backdoor module can recognize and execute over 100 different commands. The backdoor doesn't activate immediately, though. It waits until a connection to an online banking system that matches a list of hardcoded strings has been detected. Only afterward are the core components of the backdoor activated. In general, the threat actor will be able to obtain data about the victim's system; search for, exfiltrate, or download files to the system; take control over input devices such as a mouse or keyboard; display phishing messages such as fake pop-up windows. 

Bizarro can download JPEG images containing certain bank logos and instructions for the victims to mimic selected online banking systems. The images are fetched from the Command-and-Control (C2, C&C) server and are stored in the user's profile directory in an encrypted form. The malware also can show custom messages. By doing so, Bizarro can freeze the compromised device effectively. While the custom message is being displayed, users will be unable to close it or even open Task Manager. At the same time, the screen will be greyed out and the taskbar hidden. 

The Bizarro operation appears to be fairly sophisticated with the threat actor employing various affiliates and mules to perform different actions. These may range from simple help with translations to money-laundering schemes or facilitating the initial attacks against user devices.