Android Malware BrazKing Returns as Crafty Banking Trojan

The BrazKing Android banking Trojan has returned with dynamic banking overlays and a new implementation trick that allows it to execute without requesting the risky permissions. A new malware sample was examined by IBM Trusteer investigators discovered it outside the Play Store, on sites where people end up after receiving smishing (SMS) messages,

These HTTPS sites alert the eventual victim that they are utilizing an outdated Android version and offer an APK that will supposedly update them to the latest version.

Android-Malware-BrazKing-Returns-as-Crafty-Banking-Trojan-image1

Only Asking for a Single Permission

If the user approves “downloads from unknown sources,” the malware is dropped on the device and requests access to the “Accessibility Service”.

This permission is harmed to capture screenshots and keystrokes without requesting and additional permissions that would risk the increasing suspicion. More specifically, the accessibility service is utilized by BrazKing for the following malicious activity:

  • Dissect the screen programmatically instead of taking screenshots in picture format. This can be done programmatically but on a non-rooted device that would require the explicit approval of the user.
  • Keylogger capabilities by reading the views on the screen.
  • RAT capabilities—BrazKing can manipulate the target banking application by tapping buttons or keying text in.
  • Read SMS without the ‘android.permission.READ_SMS’ permission by reading text messages that appear on the screen. This can give actors access to 2FA codes.
  • Read contact lists without ‘android.permission.READ_CONTACTS’ permission by reading the contacts on the “Contacts” screen

Initiating on Android 11, Google has divided the list of installed applications as sensitive information, so any malware that trials to fetch it is flagged by Play Protect as malicious. This is a new problem for all the banking overlaying Trojans that required determining which bank applications are installed on the infected device to serve matching login screens.

BrazKing no longer utilizes the ‘getinstalledpackages’ API request as it utilized to but instead uses the screen dissection feature to view what applications are installed on the affected device. When it comes to overlaying, BrazKing now does it without the ‘System_Alert_Window’ permission, so it can’t overlay a fake screen on top of the original app as other trojans do.

Instead, it loads the fake screen as an URL from the attacker’s server in a web view window, added from within the accessibility service. This covers the app and all its windows but doesn’t force an exit from it.

Android-Malware-BrazKing-Returns-as-Crafty-Banking-Trojan-image2

When detecting the login to an online bank, instead of displaying built-in overlays, the malware will now connect to the command and control server to receive the correct login overlay to display.

This dynamic overlay system makes it easier for the threat actors to steal credentials for a broader range of banks. Serving the overlays from the attacker’s servers also allows them to update the login screens as necessary to coincide with changes on the legitimate banking apps or sites or add support for new banks.

Obfuscation and resistance to deletion

The new version of BrazKing protects internal resources by applying an XOR operation using a hardcoded key and then also encodes them with Base64. Analysts can quickly reverse these steps, but they still help the malware go unnoticed when nested in the victim’s device.

Android-Malware-BrazKing-Returns-as-Crafty-Banking-Trojan-image3

If the user attempts to delete the malware, it quickly taps on the ‘Back’ or ‘Home’ buttons to prevent the action. The same trick is used when the user tries to open an antivirus app, hoping to scan and remove the malware within the security tool.

BrazKing’s evolution shows that malware authors quickly adapt to deliver stealthier versions of their tools as Android’s security tightens up. The ability to snatch 2FA codes, credentials, and take screenshots without hoarding permissions makes the Trojan a lot more potent than it used to be, so be very careful with APK downloads outside the Play Store.

According to the IBM report, BrazKing appears to be operated by local threat groups, as it is circulating on Portuguese-speaking websites.

Leave a Reply