UBEL is Linked To Oscorp, Android Credential Stealing Malware & Botnet

New Android Credential-Stealing Malware & Botnet UBEL is Linked To Oscorp

A new malware was observed abusing the accessibility features of Android devices to steal sensitive information. The campaign began in May 2021. The malware targets European banking applications and adds devices to its botnet.

Italy’s CERT-AGID first revealed details about the threat actor in January 2021, who at the time used Oscorp. It was a type of mobile malware that was designed to steal funds from victims.

It could intercept SMSes and make calls, as well as perform overlay attacks on over 150 mobile applications to exfiltrate valuable data.

The threat actors targeted individuals with malicious SMS messages and posed as bank operators in real-time over the phone. They gained access to the infected device via WebRTC protocol with the goal of conducting unauthorized bank transfers.

While there have been no new activities reported since then, it seems that the threat actor reactivated their activities by launching the UBEL Android botnet.

“By analyzing some related samples, we found multiple indicators linking Oscorp and UBEL to the same malicious codebase, suggesting a fork of the same original project or just a rebrand by other affiliates, as its source-code appears to be shared between multiple [threat actors],” Italian cybersecurity company Cliffy said Tuesday.

Sellers advertise UBEL on underground forums for $980.

UBEL gives its operators the ability to install and modify applications, view SMS messages, record audio, and abuse accessibility services on Android which allows it to access sensitive information from Android devices.

The malware tries to install itself as a service on the target device. It then tries to hide its presence for persistent operation.

Using WebRTC to interact with a compromised Android device in real-time, the threat actor can perform fraudulent activities without having to add the device to the botnet.

“The main goal for this [threat actor] by using this feature, is to avoid a ‘new device enrollment’, thus drastically reducing the possibility of being flagged ‘as suspicious’ since device’s fingerprinting indicators are well-known from the bank’s perspective,” the researchers said.

The geographical distribution of Oscorp’s apps is concentrated in a number of countries, including Turkey, Spain, Germany, Poland, Italy, the USA, Japan, and Australia.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.