The 2FA application necessary to access BBVA bank accounts in Spain is impersonated by a new Android banking malware called Revive. Instead of aiming to infect consumers of various financial institutions, this trojan has a more targeted strategy that targets the BBVA bank. Even though Revive is still in the early stages of development, it is already able to perform sophisticated tasks like intercepting two-factor authentication (2FA) codes and one-time passwords.
In order to resume itself once terminated, malware employs a function with the same name, which Cleafy researchers called Revive after. According to Cleafy’s experts, the new malware targets potential victims through phishing assaults and persuades them to download an application that is purportedly a 2FA tool necessary for improved bank account security.
To update their banking security, users are instructed by this phishing attempt that the 2FA feature included in the real bank app is no longer sufficient. The app is housed on a specific website with a polished design and even has a video tutorial to walk users through downloading and installing it.
When Revive is installed, it asks for authorization to use the Accessibility Service, giving it full access to the screen and the power to tap the screen and navigate. It would seem typical for a 2FA service that users are asked to enable access to SMS and phone calls when they use the app for the first time. After that, Revive continues to function as a straightforward keylogger in the background, capturing whatever the user enters on the device and routinely transferring it to the C2.
By doing this, the credentials will be sent to the C2 of the threat actors, and a generic homepage with connections to the targeted bank’s website will subsequently load. Following that, Revive keeps operating in the background as a straightforward keylogger, capturing whatever the user enters on the device and routinely transferring it to the C2.
According to Cleafy’s analysis of the new malware’s source code, it appears that Teradroid, an Android spyware with its source code published on GitHub, served as inspiration for its creators. The APIs, web frameworks, and functionalities of the two are quite similar. Revive employs a unique control panel to gather passwords and eavesdrop on SMS communications.
As a consequence, almost no security providers can detect the program. Cleafy’s tests on VirusTotal, for instance, show four detections on one sample and none on a subsequent variation. Security vendors probably don’t have many possibilities to record these threats and define identifying parameters because of the limited targeting, brief campaigns, and isolated activities, which allows them to remain undetected for longer.
