Cisco Talos has uncovered a new Android-based campaign targeting Australian financial institutions. As the investigation progressed, Talos came to understand that this campaign was associated with the “ChristinaMorrow” text message spam scam previously spotted in Australia. Although this malware’s credential-harvest mechanism is not particularly sophisticated, it does have an advanced self-preservation mechanism. Even though this is not a traditional remote access tool (RAT), this campaign seems to target mainly private users. Aside from the credential stealing, this malware also includes features like the theft of users’ contact list, collecting phone numbers associated names, and files and photos on the device. But that doesn’t mean companies and organizations are out of the woods. They should still be on the lookout for these kinds of trojans, as the attackers could target corporate accounts that contain large amounts of money.
The information collected by the malware and the control over the victim’s mobile device allows their operators to perform more complex social engineering attacks. A motivated attacker can use this trojan to harvest usernames and passwords and then reuse them to login into the organization’s system where the victim works. This is a good example where two-factor authentication based on SMS would fail since the attacker can read the SMS. Corporations can protect themselves from these side-channel attacks by deploying client-based two-factor authentication, such as Duo Security.
One of the most impressive features of this malware is its resilience. If the command and control (C2) server is taken down, the malicious operator can still recover the malware control by sending SMS messages directly to the infected devices. This makes the taking down and recovery of the network much harder and poses a considerable challenge for defenders.