VMX Labs detected 5 active Command & Control (C2) server login panels in Poland, Italy, and Brazil that specialized in overlay attacks (manual and automatic) against Android users, especially in Brazil and Italy.
This (claimed) new Android banking trojan (ABT) is marketed as AzraelBot.
One of the servers we found uses the leaked injects from the Hook ABT. This was foreseen and, unfortunately, lowered the entry barrier to the Android banking malware scene.
Manual overlay attacks mainly target Italy and Brazil. Generic injections used for Italy are as below:
Manual overlay attacks on Brazilian banks are more sophisticated and customized.
C2 IOC List |
|
| 200.98.200.130 | Panel IP address |
| 200.98.200.107 | Panel IP address |
| 179.43.148.2 | Panel IP address |
| 185.241.208.123 | Panel IP address |
| 45.83.31.225 | Panel IP address |
| azzzzzzzzzz000000bro.com | C2 domain |
| googleoverdroid.com | C2 domain |
Note: Special thanks to the security researcher, whose earlier findings have greatly contributed to this ongoing research.
How screen overlay attacks endanger mobile banking apps
Screen overlay attacks pose a serious threat to banking cybersecurity, allowing attackers to steal credentials and sensitive financial data by tricking users into entering information on fraudulent interfaces.
SparkKitty: A Silent Threat in ‘Trusted’ Apps