New GPlayed Trojan attacks customers of Russian state bank

A new member of the GPlayed Trojan has been discovered. The malware is designed to attack customers of a Russian state-owned bank. Cisco Talos researchers discovered the malware.

The researchers revealed earlier this month GPlayed, an “extremely powerful” trojan that pretends to be a Google service if it infects Android devices. At the time, the researchers thought that the malware was still under development, but this did not detract from the fact that the trojan was extremely flexible, made use of embezzlement and had strong destruction and data theft capabilities.

Now it appears that GPlayed is not the only member of the new Trojan family. On Monday, Talos announced that the “younger brother” of the malware had also been discovered. This version is called GPlayed Banking, and is a banking trojan built with a specific role. The malware must attack customers of the Russian state bank Sberbank if they use the digital AutoPay payment service.

Operation

The malware seems to have been spread through phishing campaigns and repositories of third party apps, in the same way as GPlayed. The capabilities of GPlayed Banking are not as extensive as those of its predecessor, but the malware can extract data from a device and send it to the creator’s command and control server.

The malware is written in .NET in the same way as GPlayed and also acts as a Google service on Android. Malicious code is implemented in a DLL called PlayMarket.ddl, which then gets permissions for BIND_DEVICE_ADMIN. This gives the attacker almost complete control over a device.

If the malware is running on a vulnerable device, the trojan will start requesting changes to the user’s settings, with the aim of escalating privileges. If a victim rejects requests for permission, they will continue to appear every five seconds. According to Talos, the malware can also lock a device’s screen, but this is not yet the case.

Transaction

The malware then opens a WebView screen overlay and sends a text message to Sberbank AutoPay with the word “balance” in Russian. If the victim is a customer, the service responds and there is more than 3,000 on the account, then the trojan takes action. The malware will ask for a value of 66,000 if there is more than 68,000. Otherwise, the available value minus 1,000 is called up.

Then a new WebView object is created, to request this amount. If the account shows less than $3,000, the malware won’t do anything.

To complete the transaction, the malware needs a validation code. GPlayed Banking looks at each incoming message with the word “password” in Russian, then copies the text and injects it into the WebView object.