GPlayed's Younger Brother is a Banker - and It's After Russian Banks


GPlayed's Younger Brother is a Banker - and It's After Russian Banks (Oct 29, 2018)

A new version of the "GPlayed" Android banking trojan, first reported on in early October 2018, has been identified impersonating the Google Play Store application, according to Cisco Talos researchers. This variant, dubbed "GPlayed Banking," specifically targets "SherBank AutoPay" users while the previous version targeted banking information in general. SherBank AutoPay is a service offered by SherBank, which is a Russian state-owned bank. GPlayed Banking is distributed by posing as the Google Play Store application with the labelled "Play Google Market and, once downloaded, asks the user to change settings to grant the application administrator privileges. Interestingly, the application does not need administrator privileges to conduct its malicious activity that consists of stealing SMS messages and sending SMS messages to SherBank to determine an account balance. If the balance is lower than $3,000 the trojan stops, if larger than 68,000 the malware requests a value of 66,000, otherwise, the total amount minus 1,000 is requested.

Recommendation: It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be deployed on devices, particularly those that could contain sensitive information.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.