跳到主体内容

Acecard Trojan: Android Users of Over 30 Banking and Payment Apps at Risk

2016年2月22日

Kaspersky Lab’s Anti-malware Research Team has detected one of the most dangerous Android banking Trojans ever seen. The Acecard malware is capable of attacking users of nearly 50 different online financial applications and services and is able to bypass the Google Play store’s security measures

Kaspersky Lab’s Anti-malware Research Team has detected one of the most dangerous Android banking Trojans ever seen. The Acecard malware is capable of attacking users of nearly 50 different online financial applications and services and is able to bypass the Google Play store’s security measures.

During the third quarter of 2015, Kaspersky Lab experts detected an unusual increase in the number of mobile banking attacks in Australia. It looked suspicious and very soon it was discovered that the main reason for this increase was a single banking Trojan: Acecard.

The Acecard Trojan family uses almost all the malware functionality currently available – from stealing a bank’s text and voice messages to overlaying official app windows with false messages that simulate the official login page in an attempt to steal personal information and account details. The most recent versions of the Acecard family can attack the client applications of some 30 banks and payment systems. Considering that these Trojans are capable of overlaying any application upon command, the overall number of attacked financial applications may be much higher.

Besides banking apps, Acecard can overlay the following applications with phishing windows:

  • IM services: WhatsApp, Viber, Instagram, Skype;
  • Social networks: VKontakte, Odnoklassniki, Facebook, Twitter;
  • The Gmail client;
  • The PayPal mobile app;
  • Google Play and Google Music applications.

The malware was first detected in February 2014, but for a long period it showed almost no signs of malicious activity. Everything changed in 2015 when Kaspersky Lab researchers detected a spike in attacks: in the period May to December 2015, more than 6,000 users were attacked with this Trojan. Most of them were living in Russia, Australia, Germany, Austria and France.

During the two years of observation, Kaspersky Lab researchers witnessed the active development of the Trojan.  They registered more than 10 new versions of the malware, each with a far longer list of malicious functions than the previous one.  

Google Play is under attack

Mobile devices were usually infected after downloading a malicious application masquerading as a legitimate one. Acecard versions are typically distributed as Flash Player or PornoVideo, although other names are sometimes used in a bid to imitate useful and popular software.

But this is not the only way this malware is distributed. On 28 December 2015, Kaspersky Lab experts were able to spot a version of the Acecard downloader Trojan – Trojan-Downloader.AndroidOS.Acecard.b – in the official Google Play store. The Trojan propagates under the guise of a game. When the malware is installed from Google Play, the user will only see an Adobe Flash Player icon on the desktop screen and no actual sign of the installed application.



Who is behind it?

Looking closely at the malware code, Kaspersky lab experts are inclined to think that Acecard was created by the same group of cybercriminals that was responsible for the first TOR Trojan for Android Backdoor.AndroidOS.Torec.a  and the first mobile encryptor/ransomware Trojan-Ransom.AndroidOS.Pletor.a.  

The evidence for this is based on similar code lines (names of methods and classes) and the use of the same C&C (Command and Controls) servers. This proves that Acecard was made by a powerful and experienced group of criminals, most likely Russian-speaking.

“This cybercriminal group uses virtually every available method to propagate the banking Trojan Acecard. It can be distributed under the guise of another program, via official app stores, or via other Trojans. A distinctive feature of this malware is that it’s capable of overlaying more than 30 banking and payment systems as well as social media, instant messaging and other apps. The combination of Acecard’s capabilities and methods of propagation make this mobile banker one of the most dangerous threats to users today,” – warns Roman Unuchek Senior Malware Analyst at Kaspersky Lab USA.

In order to prevent infection Kaspersky Lab recommends the following:

  • Do not download or/and install any applications from Google Play or internal sources if they are untrusted or can be treated as such;
  • Do not visit suspicious web pages with specific content and click on suspicious links;
  • Install a reliable security solution on mobile devices, such as Kaspersky Internet Security for Android;
  • Make sure that antivirus databases are up to date and functioning properly. 
To learn more about the Acecard Trojan, please read the blog post available at Securelist.com.

Acecard Trojan: Android Users of Over 30 Banking and Payment Apps at Risk

Kaspersky Lab’s Anti-malware Research Team has detected one of the most dangerous Android banking Trojans ever seen. The Acecard malware is capable of attacking users of nearly 50 different online financial applications and services and is able to bypass the Google Play store’s security measures
Kaspersky logo

关于卡巴斯基

卡巴斯基是一家成立于1997年的全球网络安全和数字隐私公司。卡巴斯基不断将深度威胁情报和安全技术转化成创新的安全解决方案和服务,为全球的企业、关键基础设施、政府和消费者提供安全保护。公司提供全面的安全产品组合,包括领先的端点保护解决方案以及多种针对性的安全解决方案和服务,以及用于应对复杂和不断变化的数字威胁的网络免疫解决方案。全球有超过4亿用户使用卡巴斯基技术保护自己,我们还帮助全球200,000家企业客户保护最重要的东西。要了解更多详情,请访问www.kaspersky.com.cn.

相关文章 企业新闻