A new member of the GPlayed Trojan has been discovered which has been designed to attack customers of a Russian-owned state bank.
Earlier this month, researchers from Cisco Talos revealed GPlayed, an "extremely powerful" Trojan which pretends to be a Google service when infecting Android mobile devices.
At the time of discovery, the researchers said they believed the malware was still in development due to clues in the code -- but this did not detract from the fact the Trojan was extremely flexible, used obfuscation, and contained strong destructive and data-stealing capabilities.
It has now been found that GPlayed is not the only member of the new Trojan family. On Monday, Talos said that the malware's "younger brother" has also appeared on the radar.
Dubbed "GPlayed Banking," the variant is a banking Trojan built with a specific role -- to target Russian state-owned Sberbank customers which use the bank's digital AutoPay payments service.
The malware appears to be able to spread through phishing campaigns and third-party app repositories in the same way as GPlayed.
The capabilities of GPlayed Banking are not quite as extensive as the predecessor's all-around data stealer functionality but the malware is still able to exfiltrate data from a target device and send it to the operator's command-and-control (C2) server.
The malware is written in .NET in the same manner as GPlayed and also masquerades as a Google service on Android.
Malicious code is implanted in a DLL called PlayMarket.dll, which declares permissions including BIND_DEVICE_ADMIN -- which permits close to full device control -- through the package's certificate.
If the malware is executed on a vulnerable device, the Trojan begins by requesting changes to user settings for the purpose of privilege escalation.
Even should a victim cancel pop-up permission requests, they will reappear every five seconds. Talos says that the malware also contains the capability to lock the device's screen, but this is not called at present.
The Trojan will then call up a WebView screen overlay and send an SMS message to Sberbank AutoPay with the word "balance" in Russian.
If the victim is a customer and the service responds, as long as the bank account balance is above 3,000, the Trojan acts. The malware will request a value of 66,000, lowering in increments of 1,000 until the available figure is determined.
A new WebView object is then created, requesting this amount. The malware will remain dormant if the account balance is less than 3,000.
However, in order to complete the fraudulent transaction, the malware needs a validation code. GPlayed Banking will parse any arriving message containing the word "password" in Russian, extracting the phrase and injecting it into the WebView object.
A variable in the object also appears to show how the Trojan attempts to circumvent 3-D Secure anti-fraud protections.
GPlayed's developers have proven themselves skilled. While the GPlayed Banking malware specifically targets a core group of customers from one financial institution, Talos believes it would be a "trivial" task for them to adapt the Trojan to target other banks and online services.
The DLLs used by the malware have a low detection ratio, which suggests that while the Trojan is yet to be released fully into the wild to wreak havoc on Android users, "they certainly have the potential to infect a large number of users and could quickly hijack a user's banking credentials," according to the researchers.
"The interception of SMS validation codes technique is not new for banking Trojans," Cisco Talos says. "But this banking trojan followed by the GPlayed trojan shows a clear evolution of the actors behind this malware families. They went from a simple banking trojan to a full-fledged trojan with capabilities never seen before."