BrazKing Android Malware

BrazKing is a mobile banking malware that performs overlay attacks to collect the banking credentials of its victims. The threat targets ANdroid devices and users located in Brazil predominantly, possibly suggesting that its operators are also located in the region. The researchers at IBM Trusteer shined a light on the threat by releasing a report with their findings after analysis of several BrazKing samples. So far, the experts are confident that BrazKing is still being developed actively due to the significant differences introduced in the more recent versions of the threat.

Abusing Android’s Accessibility Service

The Accessibility feature is intended to make the use of the mobile device more comfortable for people with disabilities. However, cybercriminals have honed in on it and are exploiting the service to perform numerous nefarious actions on the infected devices. BrazKing relies on the Accessibility service extensively, as this allows the threat to limit the number of specific permissions that it would need to be granted by the user. As a result, BrazKing asks for a small number of less suspicious permissions.

In the background, BrazKing can simulate screen taps, establish keylogging routines, act as a RAT (Remote Access Trojan), intercept and read SMS by capturing the text of the messages while it is displayed on the screen, and access the user's contact lists by reading them from the 'Contacts' screen silently. The threat also establishes a persistence mechanism based on the functions of the Accessibility service. If users attempt to restore the infected device to its factory settings, BrazKing will immediately simulate a tap on the 'Back' and ' Home' buttons. The same technique is also used to prevent users from launching anti-malware solutions or trying to run a scan of the device.

Infection Vector

Victims are tricked into installing the threat via phishing messages carrying the URL of a hoax website. The deceptive website uses scare tactics such as claiming that the user's device has outdated security and is going to be blocked. To fix this non-existent issue, users are directed to click the provided button that is supposedly going to 'update' the device's operating system. In reality, it will deliver the BrazKing Android malware. Users will still need to approve the download as the application is coming from an unknown source. Afterward, the threat will try to obtain the little permissions it needs masking them as Google requirements.

Overlay Attacks

Earlier BrazKing versions fetched the fake login screen for the targeted banking applications from a hardcoded URL. More recent versions have shifted away from this technique to become more streamlined, agile and elusive. Indeed, the threat now makes an automated call to its Command-and-Control (C2, C&C) server and requests the necessary overlay screen on the fly. The cybercriminals now determine when a suitable app is being launched by the victim and when to activate the credential-grabbing process instead of leaving it to an automated function within the threat itself.

Another characteristic of the BrazKing attacks is that they do not require the user-approved 'android.permission.SYSTEM_ALERT_WINDOW' permission. Instead, the malware loads the overlay screen's URL to a webview and displays it in a window.

Mobile banking malware is continuing to evolve and users should take the necessary measures to protect their devices and not expose themselves to unnecessary risks.