A previously unknown Android banking trojan has been discovered in the wild, targeting users of the Spanish financial services company BBVA.
Believed to be in the early stages of development, the malware – dubbed Revival by Italian cybersecurity company Cleafy – first observed on June 15, 2022 and spread by phishing campaigns.
“The name Revive was chosen because of one of the malware’s functions (called by [threat actors] exactly ‘revival’) is restarting in the event the malware stops working,” Cleafy researchers Federico Valentini and Francesco Iubatti said in a Monday article.
Available for download from fake scam sites (“bbva.appsecureguide[.]com “or” bbva.european2fa[.]com”) to trick users into downloading the app, the malware impersonates a bank’s two-factor authentication (2FA) app and is said to be inspired by open-source spyware called Teardroid , with the authors tweaking the original source code to incorporate new features.
Unlike other banking malware known to target a wide range of financial applications, Revive is tailored for a specific target, in this case BBVA banking. That said, it’s no different from its counterparts in that it uses Android’s accessibility services API to meet its operational goals.
Revive is primarily designed to collect bank credentials through the use of lookalike pages and facilitate account takeover attacks. It also integrates a keylogger module to capture keystrokes and the ability to intercept SMS messages received on infected devices, mainly one-time passwords and 2FA codes sent by the bank.
When the victim opens the malicious app for the first time, Revive asks to accept two permissions related to SMS messages and phone calls, the researchers said. “Then a mirror page (of the targeted bank) will appear to the user and if credentials are inserted they are sent to [command-and-control server] of TA. “
The findings again highlight the need to be cautious when downloading apps from untrusted third-party sources. The abuse of sideloading has gone unnoticed by Google, Google has implemented a new feature in Android 13 to block such apps from using the accessibility API.
