Experts are continuously analysing financial fraud attacks within the online landscape. From a recent study about malware, they have found BrazKing, an Android banking trojan, to have enhanced its capabilities to target mobile banking app users from Brazil and run by local cybercriminals.
BrazKing’s developers may have worked on upgrading the malware to be more agile, as it moved its core overlay mechanism to launch fake overlay screens from C2 servers in real-time. The previous malware version was used to attack the accessibility service in infected devices to detect the apps that the user opens.
Upon detection of a targeted banking app being opened, the BrazKing malware will launch an overlay screen from a hardcoded URL and front it on top of the real app.
Then, a call will be automated to the hacker’s server while the malware sends the on-screen content to the C2 server. Afterwards, credential grabbing will be triggered from the C2 server.
Another observation experts had on BrazKing is that it has the same overlay concept from other malware, yet it has something unique that separates it from other malware types. Typical malware needs the victim to approve the android.permission.SYSTEM_ALERT_WINDOW permission on their device, something that BrazKing does not need and makes it more elusive.
With BrazKing requiring lesser permissions from the victim device, it appears less harmful despite being dangerous. The malware only needs access to accessibility services to perform attacks such as dissecting the device’s screen programmatically rather than taking screenshots, reading views on the screen via keylogging, RAT capabilities, reading text messages that appear on-screen, and reading contact lists.
Experts also studied BrazKing’s infection routine. A phishing message with a URL will be sent to the victim, directing them to a website that claims to have the device blocked due to a lack of security. An ‘update’ button will appear where victims click to ‘update’ their security system, triggering the BrazKing download.
Upon accepting the accessibility service request, the malware begins to run in the device’s background. Its goal is to help threat actors launch fraudulent transactions from the victims’ mobile banking app. Being controlled by a C2 server, the malware does not automate fraud on the devices. For this reason, experts’ analysis reveals many attack scenarios that the threat actors can execute, which is why users of mobile banking apps need to be extra cautious in what they allow to enter their devices.