Shulou(Shulou.com)05/31 Report--

Editor to share with you what Movil Secure is, I believe that most people do not know much about it, so share this article for your reference, I hope you will learn a lot after reading this article, let's go to understand it!

Preface

A malicious App named Movil Secure was found on Google Play, which uses SMiShing technology (SMS fraud + phishing) and is mainly aimed at Spanish-speaking users.

In fact, Movil Secure is a fake bank App disguised as a mobile token service, and it is clear that its developers are trying to trick users into thinking that Movil Secure is legal with professional brands and complex user interfaces. In addition, we also found three other similar counterfeit applications, all of which belong to the same developer. So far, Google has removed these malicious App from the shelves.

MovilSecure was launched on October 19, 2018 and reached 100 + downloads within 6 days of launch. The reason for such downloads is probably because the App claims to be linked to a multinational banking group (BBVA) in Spain. In fact, the bank has long been known for its technical support services, and App, the company's true mobile banking business, is considered one of the best applications in the industry.

This fake App takes advantage of BBVA in the industry and infects users' phones by disguising it as a bank mobile token service, but the researchers found that Movil Secure actually does not have the corresponding function.

The malware, which is aimed at Spanish-speaking users, claims to be able to identify BBVA users and provide authorized trading services for users. However, after analyzing the function and behavior of Movil Secure, the researchers said that it could actually be classified as spyware. And the current version of the Movil Secure architecture is very simple, which may mean that it is just an experimental application released by researchers on Google Play.

Infection-attack mechanism

When Movil Secure starts for the first time, it collects device identification information, such as device ID, operating system version, country code, and so on. Next, it will send this information to the remote malicious C2 server, all done quietly in the background, and the user will not notice anything unusual on the phone screen.

When we visit this remote malicious C2 server, we see a simple login page, indicating that the attacker has developed a complete management system to collect, organize, and analyze captured user data. More importantly, attackers are likely to use this data to launch a large-scale cyber attack.

Of course, it collects not only the device identification information, but also the SMS text messages and mobile phone numbers of the target device. After analyzing the malicious code, the researchers found the main purpose of this malware (spyware). As shown in the figure below, when the infected device receives a new text message, it sends the sender of the message (mobile number) and the corresponding content to the remote C2 server. This type of information is very valuable, because in the current bank trading system, most of them use SMS CAPTCHA to authorize bank transactions.

At present, the developers of this malware have begun to try to use the collected data in SMiShing malicious activities.

After a careful analysis of the details of the developer of the malicious App, you will find that there are three similar malicious App in his name. Evo and Bankia are both very popular banks in Spain, while Compte de Credit has nothing to do with any large financial institution. All three malicious App were released on October 19th at the same time as MovilSecure. After analysis, the researchers found that the operation mechanism of these malicious App is actually the same as Movil Secure, they all collect device identification information and SMS text message data on infected devices, and then send them to remote C2 servers.

Intrusion threat indicator SHA256b168e64a02c3aed52b0c6f77a380420dd2495c3440c85a3b7ed99b8ac871d46ad8018d869254abd6e0b2fb33631fcc56c9f2e355c5d6f40701f71c1a73331cb3299e1eb8a1f13e1eb77a1c38e5cf7bbdc588db89d4eaad91e7fc95d156d986e524e7a8ed726efa463edec2e19ad4796cf4b97755b8fdf06dea4950c175c01f77 malware detection name AndroidOS_FlokiSpy.HRX command control server hxxps://backup.spykey-floki.org/add.php above is all the contents of this article "what is Movil Secure?" thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.