A beforehand unknown Android banking trojan has been found within the wild, focusing on customers of the Spanish monetary companies firm BBVA.
Stated to be in its early levels of growth, the malware — dubbed Revive by Italian cybersecurity agency Cleafy — was first noticed on June 15, 2022 and distributed via phishing campaigns.
“The identify Revive has been chosen since one of many performance of the malware (referred to as by the [threat actors] exactly ‘revive’) is restarting in case the malware stops working,” Cleafy researchers Federico Valentini and Francesco Iubatti mentioned in a Monday write-up.
Obtainable for obtain from rogue phishing pages (“bbva.appsecureguide[.]com” or “bbva.european2fa[.]com”) as a lure to trick customers into downloading the app, the malware impersonates the financial institution’s two-factor authentication (2FA) app and is alleged to be impressed from open-source adware referred to as Teardroid, with the authors tweaking the unique supply code to include new options.
In contrast to different banking malware which are recognized to focus on a variety of monetary apps, Revive is tailor-made for a particular goal, on this case, the BBVA financial institution. That mentioned, it is no totally different from its counterparts in that it leverages Android’s accessibility companies API to satisfy its operational aims.
Revive is principally engineered to reap the financial institution’s login credentials via the usage of lookalike pages and facilitate account takeover assaults. It additionally incorporates a keylogger module to seize keystrokes and the flexibility to intercept SMS messages obtained on the contaminated units, primarily one-time passwords and 2FA codes despatched by the financial institution.
“When the sufferer opens the malicious app for the primary time, Revive asks to just accept two permissions associated to the SMS and telephone calls,” the researchers mentioned. “After that, a clone web page (of the focused financial institution) seems to the consumer and if the login credentials are inserted, they’re despatched to the [command-and-control server] of the TAs.”
The findings as soon as once more underscore the necessity to train warning in relation to downloading apps from third-party untrusted sources. The abuse of sideloading has not gone unnoticed by Google, which has carried out a brand new characteristic in Android 13 that blocks such apps from utilizing accessibility APIs.
