New Android Banking Trojan ‘Revived’ Targets Spanish Financial Services Users

    A previously unknown Android banking trojan has been discovered in the wild, targeting users of the Spanish financial services company BBVA.

    Believed to be in the early stages of development, the malware – dubbed Revival by Italian cybersecurity company Cleafy – first observed on June 15, 2022 and spread by phishing campaigns.

    “The name Revive was chosen because of one of the malware’s functions (called by [threat actors] exactly ‘revival’) is restarting in the event the malware stops working,” Cleafy researchers Federico Valentini and Francesco Iubatti said in a Monday article.

    Network security

    Available for download from fake scam sites (“bbva.appsecureguide[.]com “or” bbva.european2fa[.]com”) to trick users into downloading the app, the malware impersonates a bank’s two-factor authentication (2FA) app and is said to be inspired by open-source spyware called Teardroid , with the authors tweaking the original source code to incorporate new features.

    Malware for Android banking

    Unlike other banking malware known to target a wide range of financial applications, Revive is tailored for a specific target, in this case BBVA banking. That said, it’s no different from its counterparts in that it uses Android’s accessibility services API to meet its operational goals.

    Malware for Android banking

    Revive is primarily designed to collect bank credentials through the use of lookalike pages and facilitate account takeover attacks. It also integrates a keylogger module to capture keystrokes and the ability to intercept SMS messages received on infected devices, mainly one-time passwords and 2FA codes sent by the bank.

    Network security

    When the victim opens the malicious app for the first time, Revive asks to accept two permissions related to SMS messages and phone calls, the researchers said. “Then a mirror page (of the targeted bank) will appear to the user and if credentials are inserted they are sent to [command-and-control server] of TA. “

    The findings again highlight the need to be cautious when downloading apps from untrusted third-party sources. The abuse of sideloading has gone unnoticed by Google, Google has implemented a new feature in Android 13 to block such apps from using the accessibility API.

    Recent Articles


    Featured Article

    Leave A Reply

    Please enter your comment!
    Please enter your name here

    Stay on op - Ge the daily news in your inbox