A sophisticated new banking malware is hard to detect, capable of stealing lots of money, and infecting thousands of people in Italy and Spain.
An evasive new Android Trojan in the wild is capable of covertly stealing victims’ money while they’re sleeping.
Often, malware has to evolve and present new challenges to cyber defenders in order to survive. But banking Trojans have always been the meat and potatoes of cybercrime — effective, despite being mostly unchanged for decades now.
“Klopatra,” a new banking Trojan described in a recent blog post from fraud detection vendor Cleafy, isn’t a total overhaul of the familiar model. It’s devilishly effective, though, with a solution for every security or access barrier that might get in the way of draining a victim’s bank account, and protections that make sure the victim is never alerted in the meantime. The initial builds of Klopatra were first observed in March, and the Trojan came into its own in the summer and now has infected more than 3,000 devices in Italy and Spain.
The Perfect Lure
In Europe, just as it is in the United States, streaming live sports has become a bit of a nightmare. Leagues often split broadcasting rights between multiple providers, requiring fans to subscribe to handfuls of monthly services just to watch their favorite teams play on a regular basis. Then there are blackouts to account for, technical issues, and other obstacles.
It’s why tens of millions of fans once turned to “Mobdro,” the world’s most popular pirate streaming service. Entertainment companies collaborated with police to take down Mobdro in 2021, scattering its users to other illicit services.
This year, Turkish-language cyberattackers have been concealing Klopatra behind the guise of the Mobdro app, as if it had never left. It’s a clever disguise, as Mobdro carries demand and brand recognition. More than that, though, its illegality provides a perfect excuse for the attackers to ask users to download it outside of the bounds of the Google Play store.
In general, users of illegal streaming services may also be more inclined to stretch the bounds of what their devices are designed to do. That, too, works in Klopatra’s favor, as once the program installs on an Android device, it requests permission to utilize Accessibility Services. Users who grant this permission allow the malware any powers an attacker could wish for over a mobile device.
Just to be sure, though, the malware employs a number of techniques designed to obfuscate its true nature and put off analysis tools. It makes use of a variety of anti-sandboxing techniques and native libraries that are difficult to read because they run outside of Android’s usual managed runtime environment. It also uses a commercial Chinese packer called “Virbox” to compress, encrypt, obfuscate, and virtualize its malicious code, frustrating analysis efforts.
Trojan in the Night
Klopatra is ultimately a remote access Trojan (RAT) with some typical information-gathering capabilities: capturing screenshots and screen recordings, collecting a list of installed apps, and even displaying fake notifications. Like other banking Trojans, it can overlay a variety of pre-rendered login screens atop legitimate apps so as to steal credentials from users while they think they’re logging into the real thing. This is all preliminary, however, to the real meat of the attack.
Klopatra is most effective when it allows an attacker to interact with a victim’s device as if they were holding it in their hands. They can simulate taps of the finger, swipes, and long presses from abroad, Cleafy’s report noted. In effect, they can do just about anything: lock and unlock the screen, enter the PIN or password pattern necessary to unlock the device, open and engage with apps, type in text or copy it from the clipboard. They could probably use Klopatra to text a victim’s mother, if they wanted to.
A victim might get suspicious, though, if they watched a ghost in their phone text their mom. And indeed, as Cleafy researchers tracked Klopatra attacks, they realized that the hackers were accounting for that, specifically carrying out their remote manipulations during the nighttime hours in Europe. Here’s how it would typically go:
First, the malware performs a check to see that the screen is off and the user inactive. It further checks that the device is plugged in and charging, indicating that the victim might be charging overnight, and unlikely to open their device in the coming hours.
Next, the attacker activates the device but turns the screen brightness down to zero, such that it will outwardly appear to still be off. They use the PIN or password pattern they’ve previously stolen to unlock it, then they open a targeted banking app and enter previously stolen credentials. Finally, they drain the victim’s bank account in a series of transfers sent to their own account. The victim will wake up in the morning none the wiser, until they realize what happened to their savings.
