Popular call recording Android app QRecorder has been found guilty of planting a trojan in users’ devices for intercepting text messages. The app has over 10,000 downloads and has managed to steal 2 million crowns from victims.
The malicious app captured two-factor authentication codes that users receive via SMS and also had the ability to control what’s shown on the user’s screen. ESET security researcher Luke Stefanko revealed that the QRecorder app worked as advertised, which prevented users from becoming suspicious.
Once the QRecorder app would finish installing on an Android device, the trojan operator would send instructions 24 hours later to scan the device for certain banking apps. Whenever a targeted banking app would be launched the app would cover the app with a phishing screen to copy login credentials and pass them on to the attacker.
Stefanko released a blog explaining how the QRecorder malware works. He revealed “Attacker used Firebase messages to communicate with compromised devices. He will “ask” the device whether some of the targeted banking apps are installed or not. If so, it would send the link to encrypted payload using AES with decryption key to download.”
Stefanko revealed some of the most popular names include Air Bank, Equa, ING, Bawag, Fio, Oberbank, and Bank Austria. According to Czech Television, the targeted banks include Raiffeisen Bank, ČSOB and Česká Spořitelna. The targeted banks are mostly from German, Poland, Austria, and Czechoslovakia. Unique payloads were created for each bank.
The malware is a variant of the BankBot (Anubis I) which is not very widespread at the moment. The QRecorder app was analyzed, and it was revealed that the attackers change its targets across different campaigns. Targeting different regions allowed them not to raise any suspicions. Internal analysis at ESET security revealed that the QRecorder app was legitimate and the trojan was added in the last update.
What do you think about the QRecorder trojan? Let us know in the comments below. Also, don’t forget to follow us on Facebook and Twitter. Thanks!