Last week, we posted a blog discussing how updates to the Android platform have impacted key functionalities of a group of malware families. Today, we are going to look at how one change is affecting a financial Trojan called Android.Bankosy, which was recently noted by Poland’s computer emergency response team (CERT).
When Android Lollipop was released in 2014, the getRunningTasks API was deprecated. Since then, the API only returns a subset of running tasks rather than getting all of them. This data may now only include the caller’s own tasks and other common details.
The output of the getRunningTasks API is central to Bankosy because the threat checks which application is currently in the foreground. The Trojan does this to determine if an application of interest (such as a banking or email app) is running, and if one is, then the malware overlays a window on top of the targeted application. The overlay window asks the user to disclose sensitive information related to the application, including the following:
The following image shows an overlay window that Bankosy uses to steal information when the user opens an email application:
Figure 1. Bankosy overlay window on top of a legitimate email application
Lollipop stops Bankosy
As Lollipop deprecated the getRunningTasks API, the code in Bankosy responsible for showing the overlay window is not triggered. The threat’s condition to check for a running app will always be returned as “false” because the API will not disclose the current running application, unless it is from a general app (such as Launcher) or is created by the caller of the function.
Figure 2 illustrates the general code pattern in other variants of the Bankosy family, showing how the “if” condition will never be satisfied thanks to how Lollipop’s limits the getRunningTasks API.
Figure 2. Common code pattern found in other variants of Bankosy
Symantec detects the malware as Android.Bankosy and recommends the following security best practices: