The Android banking trojan BrazKing has returned, this time with dynamic banking overlays and a new implementation technique that allows it to function without seeking potentially dangerous permissions. IBM Trusteer researchers studied a new malware sample discovered outside of the Play Store. It was on sites where individuals wind up after getting smishing (SMS) messages.
These HTTPS sites notify potential victims that their Android version is obsolete and provide an APK that reportedly upgrades them to the most recent version. The malware is put on the smartphone and seeks access to the ‘Accessibility Service’ if the user allows “downloads from unknown sources.” This permission is being exploited to record screenshots and keystrokes without seeking other permissions that raise concerns.
Since Android 11, Google has classified the list of installed applications as sensitive data, and any malware that attempts to retrieve it is marked as harmful by Play Protect. This issue is new for all banking overlaying trojans that need to figure out which bank applications are installed on the infected device to deliver login displays that match. BrazKing doesn’t employ the ‘getinstalledpackages’ API call to see what applications are installed on the infected device; instead, it leverages the screen dissection capability.
BrazKing now overlays without the ‘System Alert Window’ permission, which means it can’t overlay a phony screen on top of the actual program like other trojans. Instead, it uses a WebView window opened from within the accessibility service to load the bogus screen as a URL from the attacker’s server.
Instead of showing built-in overlays when detecting an online bank login, the malware will now connect to the command-and-control server in order to get the necessary login overlay to display. Threat actors will steal credentials for a wider range of banks using this dynamic overlay approach. The attacker may also update the login screens as needed to match with updates to genuine banking applications or sites, or add support for other banks, by serving the overlays from their servers.
Internal resources are protected in the latest version of BrazKing by performing an XOR operation using a hardcoded key and then encoding them with Base64. Although analysts can rapidly reverse these procedures, they support the malware’s ability to remain undetected when nested in the victim’s device. If the user seeks to remove the malware, it rapidly presses the ‘Back’ or ‘Home’ buttons to stop it. When a user attempts to start an antivirus program to scan and remove malware, the same method is performed.
As Android’s security tightens, malware developers swiftly adapt to provide stealthier versions of their tools, as seen by BrazKing’s progression. The trojan’s ability to steal 2FA codes, passwords, and screenshots without hoarding permissions makes it a lot riskier now than it was before, so use caution when downloading APKs from sources other than the Play Store. BrazKing looks to be controlled by local threat organizations, as per the IBM report, because it is propagating on Portuguese-language websites.
