MalRhino Android Banking Trojan Description
The MalRhino Android Banking Trojan is the second threat belonging to an unclassified malware family that was discovered by Check Point Research. While the threat actors took a minimalist approach with their other threatening creations named PixStealer, MalRhino is more in line with typical Android banking Trojans. That doesn't mean that the threat isn't equipped with several novel or rarely seen techniques. The connection between the two threats was made based on similarities in their manifests, logs messages, service and method names, etc.
The threat also abuses the Android Accessibility Service to perform its harmful actions. The purpose of the Accessibility Service is to make controlling the device far easier for people with disabilities. Hackers noticed the numerous functions available through it quickly and have been exploiting the service in their malware creations. For example, they can monitor the activities taking place on the device's screen and intercept them. Furthermore, the attackers can simulate clicks and taps as if the user has made them.
MalRhino's Attack Chain
The threat is being deployed via fake versions of the Brazilian Inter Bank's iToken application. The package name of the trojanized application is 'com.gnservice.beta, and it could indicate that the threat is still in the early stages of its development. It should be noted that the fake application was available for download from the official Google Play Store.
Once inside the victim's device, MalRhino will display a message asking for Accessibility permissions. To trick the user, the application pretends that it needs permission to function properly. If successful, the Trojan will be able to run targeted applications (mostly bank applications, collect device data, and the list of installed apps and send the acquired information to its Command-and-Control (C&C, C2) server. A more specific, threatening functionality involves retrieving the pin code from the Nubank app.
The MalRhino threat further showcases the need for caution when granting permissions to the applications on their devices, even if the applications were installed through official store platforms.