On the left – original Sberbank of Russia app, on the right – fake app; Image Source: TrendMicro
Fanta SDK is one of the latest malicious threats aimed at Android users. This particular malware is pretty good at protecting itself and changes the user’s device PIN code to lock their device. In the meantime, the user’s bank account is being emptied.
Fanta SDK first appeared in December 2015, but wasn’t wide-spread back then and thus it didn’t make the headlines. However, during the past several months the malware has been improved and is now more active.
Fanta SDK Android Malware Distribution
As with other forms of malware, attackers are distributing the threat via spam emails. How is the campaign taking place? The potential victim will receive an email with their bank’s spoofed email address. Then, they will be prompted to update their banking app because a new update has been released. Current victims of Fanta SDK are situated only in Russia, and are customers of Sberbank of Russia.
Fanta SDK Android Malware Description
TrendMicro is the security firm that analyzed the threat after they acquired a sample of a fake banking app in Russia. This was indeed Fanta SDK. As already written, the malware changes the device’s password when the victim attempts to remove or deactivate the app’s admin privileges.
Fanta SDK also has a rare way of running its malicious routine by waiting for commands prior to the attack being launched. TrendMicro writes that:
Users can get Fanta SDK from malicious url links for benign app like “system”, as well as downloading them from third party app stores. The message would contain a narrative that would ask users to download the latest version of the banking app immediately for security reasons.
Once the app is downloaded and installed, the user will be asked to grant it admin privileges. This should immediately warn the user of malicious behavior, as legitimate applications don’t request admin rights.
Once admin privileges are obtained, Fanta SDK will wait for the potential victim to launch the mobile banking app. This latest campaign of Fanta SDK is set to display a phishing pop-up to grab the user’s banking credentials. Then, the user will be redirected to the app.
When Is a User’s Bank Account Successfully Emptied?
Once the user “detects” the malicious behavior of the banking app, they will probably try to uninstall it. However, they won’t be able to do so unless they remove the admin privileges. If this is done, the Fanta SDK changes the device’s password, locking the victim out.
As written by TrendMicro researchers:
It is not easy for users to unlock the device if the code is set by the malware. One possible way is to delete the password key file under ADB shell. But this requires the device is rooted and USB debug is enabled.
However, rooting a device is rare in real life for the following reasons:
- Few, if any, Android devices are rooted out of the box
- Not all Android devices can be rooted
- Rooting a devices unit breaks warranty
Furthermore, the malware will successfully empty the victim’s bank account, especially when he has multiple bank accounts.
Fanta SDK Related to Cridex, Ramnit and ZBOT Banking Trojans
Not surprisingly, the Android malware is connected to the infrastructure of malicious campaigns delivering Cridex, Ramnit, and ZBOT banking Trojans:
Further investigation of the C&C server led us to the IP address 184.108.40.206. The IP address was a parking domain, hosting several other malware including ransomware, RAMNIT, CRIDEX, and ZBOT. We are still investigating this domain in hopes to find a link between the perpetrators behind the fake bank app and the other malware distributed in the IP address.
How to Protect Your Android Phone from Fanta SDK
TrendMicro’s research reveals that the latest Sberbank app is updated to detect malware while old versions can’t. Fortunately, the firm has already contacted the bank, informing them about the security threat.
If you’re a customer of this bank, you should consider updating its app via the bank’s main website.
If a bank or credit provider requests that users download a new version of an app, do so securely by downloading the app on the main website.
Also, don’t forget that your Android device needs anti-malware protection, as well as your personal computer.