ThiefBot

ThiefBot is an Android banking Trojan that is designed to target users located in Turkey primarily. This specific malware threat is being advertised and sold in underground hacker forums.

To not appear as too suspicious, ThiefBot disguises itself as a Google Play store application that, upon installation, starts to ask for all permissions kinds immediately. ThiefBot wants users to allow it to read, send, and receive SMS messages, as well as access the device's storage, phone contacts and camera. ThiefBot also wants permission to turn on the accessibility service on the compromised device. If it is successful, ThiefBot enumerates the device and downloads a zip file named 'inj.zip' from its Command-and-Control (C2) server.

ThiefBot Targets Several Turkish Applications and Banks

To collect credentials, ThiefBot uses overlay attacks that collect the banking credentials and credit/debit card details of the users and then send them to the C2 infrastructure through POST requests. One of the applications targeted by ThiefBot is for the Turkey-based Papara Payment Service.

In addition, ThiefBot can receive commands to perform numerous threatening actions. It can collect the application data of the compromised device, contact list and SMS messages. ThiefBot also can act as a screen locker by displaying a specific message on the device's screen. ThiefBot can propagate itself by sending misleading custom messages to the contacts found on the infected device in an attempt to convince the unsuspecting users into downloading and installing the threatening application.

To manage the campaign and issue commands for specific victims, the creators of ThiefBot have equipped their malware threat with an admin panel.