Android Malware Masquerades as Chrome Browser Reads SMS & Intercepts Emails

Threat actors primarily target remote access and control of victims’ devices by employing deceptive tactics. They often create fake apps or pose as legitimate ones to trick users into downloading malicious software, compromising the targeted devices’ security and privacy.

This approach allows them to gain unauthorized access, potentially steal sensitive information, or carry out other malicious activities.

Cybersecurity researchers at K7 Security Labs recently identified Rusty Droid RAT, a stealthy Android malware masquerading as a Chrome browser to read SMS and intercept emails.

Technical Analysis

Rusty Droid persists by repeatedly prompting the user to enable Accessibility Service, concealing its icon from the app drawer once granted.

Accessibility permission request (Source – K7 Security Labs)

Before linking to C2, the Rusty Droid malware collects the following data:

Contact info
Accounts
App list

With accessibility permissions, it decrypts ‘LqL.json’ to an executable DEX file and deploys ‘settings.xml’ with the C2 server IP and bot ID.

This Trojan abuses the Android Accessibility Service as a keylogger, stealing victims’ data like passwords, credit card details, and messages and sending it to cybercriminals for identity theft and fraud, with a connection to C2 server “176.111.174[.]191.

**Malicious C2 Panel (Source – K7 Security Labs)**

This malware can collect keystrokes during user interaction with those applications to steal login information, including cryptocurrency wallet seed phrases, by connecting to a control server to get a list of targeted programs.

Apps Targeted

Here below, we have mentioned all the targeted applications:

com.android.vending
ar.bapro
ar.com.santander.rio.mbanking
ar.macro
at.spardat.bcrmobile
at.volksbank.volksbankmobile
au.com.amp.myportfolio.android
au.com.bankwest.mobile
au.com.cua.mb
au.com.ingdirect.android
au.com.macquarie.banking
au.com.mebank.banking
au.com.newcastlepermanent
au.com.suncorp.SuncorpBank
com.BOQSecure
com.BankAlBilad
com.CredemMobile
com.EurobankEFG
com.IngDirectAndroid
com.a2a.android.burgan
com.abnamro.nl.mobile.payments
com.adcb.bank
com.advantage.RaiffeisenBank
com.akbank.android.apps.akbank_direkt
com.anz.android.gomoney
com.aol.mobile.aolapp com.appfactory.tmb
com.bancodebogota.bancamovil
com.bancomer.mbanking
com.bancsabadell.wallet
com.bankaustria.android.olb
com.bankinter.launcher
com.bankinter.portugal.bmb
com.bankofqueensland.boq
com.barclays.android.barclaysmobilebanking
com.barclays.ke.mobile.android.ui
com.bbva.bbvacontigo
com.bbva.netcash
com.bbva.nxt_peru
com.bcp.bank.bcp
com.bendigobank.mobile
com.boubyanapp.boubyan.bank
com.boursorama.android.clients
com.kutxabank.android
com.kuveytturk.mobil
com.latuabancaperandroid
com.caisseepargne.android.mobilebanking
com.cajasur.android
com.cbd.mobile
com.cbq.CBMobile
com.chase.sig.android
com.cibc.android.mobi
com.cic_prod.bad
com.citi.citimobile
com.citibanamex.banamexmobile
com.citibank.mobile.citiuaePAT
com.clairmail.fth com.cm_prod.bad
com.coinbase.android
com.comarch.mobile.banking.bgzbnpparibas.biznes
com.comarch.security.mobilebanking
com.commbank.netbank
com.csam.icici.bank.imobile
com.db.mm.norisbank
com.db.mobilebanking
com.db.pbc.miabanca
com.db.pbc.mibanco
com.dib.app
com.discoverfinancial.mobile
com.finansbank.mobile.cepsube
com.finanteq.finance.ca
com.fullsix.android.labanquepostale.accountaccess
com.fusion.banking
com.fusion.beyondbank
com.garanti.cepsubesi
com.getingroup.mobilebanking
com.greater.Greater
com.grppl.android.shell.BOS
com.grppl.android.shell.CMBlloydsTSB73
com.grppl.android.shell.halifax
com.htsu.hsbcpersonalbanking
com.imaginbank.app
com.infonow.bofa
com.ingbanktr.ingmobil
com.isis_papyrus.raiffeisen_pay_eyewdg
com.itau.empresas com.kasikorn.retail.mbanking.wap
com.konylabs.capitalone
com.konylabs.cbplpat
Com.magiclick.odeabank
com.moneybookers.skrillpayments
com.mobileloft.alpha.droid

IOCs

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Try a free trial to ensure 100% security.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.