Last month security researchers at FireEye exposed a family of Android trojans designed to steal login credentials from mobile banking users. This week they followed up with additional information about the malware which is international in scope, actively harvests user credentials, and continues to evolve. Dubbed “SlemBunk,” the malware is designed to avoid detection and lay dormant on a user’s smartphone until they open their banking application. At that point, the malware recognizes that a banking application has been launched and launches its own customized interface made to look like the original app. This custom phishing interface has been carefully designed to appear as close to the legitimate banking app as possible. Once the user enters their credentials into the trojan’s interface, the information is sent to the attacker’s server. 

The researchers have uncovered 170 different samples of the trojan targeting customers in North America, Europe, and Asia Pacific. They have also observed that the trojan has the ability to disguise itself as up to 33 different banking apps. In addition to harvesting user credentials for financial services, the trojan is also able to extract device information including the phone number, device model and operating system. 

The researchers claim that “Newer versions of SlemBunk were observed being distributed via porn websites. Users who visit these sites are incessantly prompted to download an Adobe Flash update to view the porn, and doing so downloads the malware.” First, the ‘Dropper’ component is delivered to the user’s device as a hidden download through the porn website. Subsequently, this application unpacks a downloader which then downloads the malicious SlemBunk trojan itself. The trojan lies dormant until the user launches a banking application. 

The malware has not been observed in any official Google Play store applications and the recorded infections have all originated from malicious websites. Newer iterations of the trojan have become increasingly sophisticated, utilizing commercial anti-piracy protection to avoid reverse-engineering. The report notes that “among all the specified apps, we have observed that banks in Australia are among SlemBunk’s favorites, with banks in the U.S. coming in second.”