FBI Cyber Bulletin: Android Malware Phishing for Financial Institution Customer Credentials

The following bulletin was obtained from the public website of a U.S. legal association.

Android Malware SlemBunk and Marcher Actively Target US Financial Institutions’ Customers

Page Count: 4 pages
Date: May 9, 2016
Restriction: TLP: AMBER
Originating Organization: Federal Bureau of Investigation, Cyber Divison
File Type: pdf
File Size: 457,409 bytes
File Hash (SHA-256): 71121E5C59D4335B96D138BF841D7119838B8A9ECDF24A87FF418B363E902EBD


Download File

The FBI has identified two Android malware families, SlemBunk and Marcher, actively phishing for specified US financial institutions’ customer credentials. The malware monitors the infected phone for the launch of a targeted mobile banking application to inject a phishing overlay over the legitimate application’s user interface. The malware then displays an indistinguishable fake login interface to steal the victim’s banking credentials. According to cyber threat industry reports, both malware families have targeted foreign financial institutions since 2014, gradually broadening the list to include Western banks, and offered the malware for lease or purchase, respectively, in underground forums. At least as of December 2015, the malware expanded its configuration to include the Android package names of US financial institutions.

Scope of Threat

Both malware families are capable of defeating two-factor authentication through their ability to monitor and intercept SMS messages, facilitating the attackers’ ability to perform account takeovers using only the infected mobile device. However, the financial losses attributed to these malware families are difficult to assess because the indistinguishable format of the phishing overlay from the legitimate mobile banking application thwarts the victim’s ability to detect the mobile device as the initial point of compromise. Additionally, the malware sends the stolen login credentials to a command and control server, further complicating identification of the intrusion vector.

Of note, the December 2015 leak of the GM bot source code, an early variant from the SlemBunk family, may embolden malicious cyber actors to create their own Android banking malware using parts of the exposed source code and control panel. Further, depending on how much of the GM bot source code is in later malware variants of the SlemBunk family, the author may be prompted to alter SlemBunk’s existing source code or develop an entirely new Android banking malware family to secure differentiation of the malware and continued profitability from fraud activity. SlemBunk’s developer has proven adept at releasing numerous mobile malware variants and, as of late 2015, also broadened SlemBunk’s target list to include Android applications for common US social media and instant messaging platforms, applying the same overlay technique to prompt the user for login credentials and/or credit card information. The FBI assesses mobile malware targeting Android devices will continue to attract financially-motivated cyber criminal actors with the means and opportunity to manipulate the leaked source code or exploit the increasing attack surface in Android’s mobile market.

Infection Vectors

Review of cyber threat industry reports on the two malware families reveals the following initial vectors of compromise, because the malware distribution method is not included in its lease or purchase:

  • SMS or MMS phishing, to include messages requesting the user to install malicious Adobe Flash Player software;
  • Malvertisements or pop-ups from adult Web sites prompting the user to download a malicious Adobe Flash update;
  • Mobile applications downloaded from third-party mobile application platforms; and
  • Phishing e-mails.

Recommendations for Private Sector Institutions

  • Use static code analysis tools to review the hardcoded and configuration list of malware sample(s) to identify targeted mobile applications.
  • Conduct device fingerprinting and login analysis to detect unauthorized access to accounts, and be willing to set alerts for unknown devices and IP addresses accessing the accounts.
  • Differentiate traffic from mobile and non-mobile devices to attribute intrusions and related losses.
  • Educate consumers on appropriate preventive and reactive actions to known criminal schemes and social engineering threats, including how employees should respond in their respective position and environment.
  • Educate consumers on when personally identifiable information, authentication credentials, or payment card industry information would be requested.
  • Use security application program interfaces during application development to determine risk for fraud activity.
  • Work with respective brand enforcement units to remove malicious applications from official and third-party application platforms.

Share this:

Facebooktwitterredditlinkedinmail