Android Banking Trojan Flubot Abuses

A banking trojan targeting Itaú Unibanco, a large financial services provider in Brazil with 55 million customers globally, has deployed an unusual trick to spread to devices.

The actors have set up a page that looks very close to Android’s official Google Play app store to trick visitors into thinking they are installing the app from a trustworthy service and pretending to be an official banking app

Once clicked on the “Install” button, they are offered to download the APK, which is the first sign of the scam. Google Play Store apps are installed through the store interface, never asking the user to download and install programs manually

The Malware attempts to open the real Itaú app from the actual Play Store. If succeeds, it uses the actual app to perform fraudulent transactions by changing the user’s input fields. Since it installs with low level permission no security risk detection flagged.

It aims to leverage the Accessibility Service, which is all that’s needed by mobile malware to bypass all security on Android systems.

Only the user has the chance to spot the signs of abuse and stop the malware before it gets a chance to perform destructive actions on the device. These signs come in the form of the app requesting permission to perform gestures, retrieve window content, and observe user actions.

The websites used to distribute the malicious APKs have been reported and taken offline for now, but the actors may return through different domains.

Users has to be vigilant and stay secure while installing the apps. The legitimacy of the applications need to be checked. Mobile security has to be enabled .