UBEL Android Malware

The UBEL Android malware was observed to be offered on underground hacking forums as a new Android threat. However, analysis of its underlying code revealed a different picture. It turns out that UBEL shares significant similarities with a previously detected Android threat known as Oscorp. In fact, the links between the two are sufficient enough to lead the researchers to the conclusion that UBEL was either a branch of the original Oscorp project or just a rebranding of the earlier threat performed by a different hacker group. It should be noted that the operators of UBEL ran into some troubles with their cybercriminal clients. Complaints began to crop up that the malware tool was unable to operate on certain Android devices, despite the claims made in its promotion. 

Threatening Capabilities

The threat possesses a large set of functionalities allowing the threat actor to achieve near full control over the compromised Android devices. The main goal appears to still be to collect funds and obtain banking credentials from the victims. The threat is capable of attacking multiple avenues including crypto and banking application. Researchers discovered that the malware is capable of performing overlay attacks on more the 150 applications. On top of that, the threat can set up various keylogging routines, establish backdoor access via WebRTC protocol, and manipulate (intercept, read, send, delete) SMS and phone calls. In some instances, the attackers employed fake bank operators that called the victim over the phone, while in the background the malware was collecting funds via unauthorized bank transfers.

Employed Techniques

To facilitate its harmful goals, UBEL relies on several well-known techniques. One of them involves abusing the device's Accessibility Services. Designed to allow people with disabilities to use mobile devices more comfortably, Accessibility Services have become a common target for mobile malware threats. By obtaining access to them, the threats can proceed to simulate button clicks or screen gestures. The same permissions also can allow the malware to observe and harvest select information from the infected device. Another method allows UBEL to perform so-called Overlay attacks. Usually, this is the core behavior of banking Trojans. This threat shows the user a fake sign-up or login page, on top of the legitimate one generated by the targeted application via WebView.