The new Android banking malware ESET recently discovered on Google Play was spotted in the wild again, now improved and targeting more banks. Further investigation of this resurfacing threat has uncovered its code was built using source code that was made public a couple of months ago. ESET have discovered a new version of the trojan on Google Play, masquerading as yet another legitimate weather app, this time World Weather.
As it turns out, both of these Android trojans are based on a free source code that was made public online. Allegedly written from scratch, the “template” code of the Android malware along with the code of the C&C server including a web control panel have been available on a Russian forum since December 19, 2016.
On top of the weather forecast functionalities it adopted from the original legitimate application, Trojan.Android/Spy.Banker.HW (the newly detected version) is able to remotely lock and unlock infected devices by setting lock screen password and intercept text messages. The only difference between the two appears to be a wider target group – malware now affects users of 69 British, Austrian, German and Turkish banking apps – and a more advanced obfuscation technique.
The full blog is available here: http://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/