Simple but extremely effective: Inside the world's most prolific mobile banking malware

Asacub trojan has quietly been going about its business for years, stealing funds from hundreds of thousands of victims - but it can also be easily avoided.
Written by Danny Palmer, Senior Writer

Asacub is one of the world's most successful mobile banking trojans, responsible for stealing funds from hundreds of thousands of users worldwide. But how did this unremarkable piece of malware become so prolific?

While Asacub initially started life as a form of spyware in the first half of 2015, by the start of the following year, the malware had shifted to stealing funds and banking information -- and has kept that focus ever since.

It proved to be a smart move for the attackers, because by the middle of 2017 Asacub had risen to become the most prolific form of mobile banking trojan in the world, outperforming other prominent forms of banking malware, including Svpeng and Faketoken, in terms of sheer number of attacks.

To date, Asacub has infected over 225,000 users, almost all of whom are in Russia, although it has also hit victims across the former USSR, as well as Germany, the United States and others, according to researchers at Kasperky Lab, who've examined the rise and continued success of the malware.

Distribution of the malware has barely changed over the years, with Asacub's means of delivery coming via SMS phishing messages, which contain a link and ask the victim to view a photo or media message.

If the user clicks through to this they're directed to a webpage that encourages them to download the supposed image, but in fact downloads the APK for the trojan. The malware can only be downloaded onto the Android device if the user enables the installation of third-party apps from unknown sources.

Once the installation process is up and running, Asacub asks the user for Device Administrator Rights or permission to use Accessibility Services, both of which provide the malicious app with the ability to carry out its illicit tasks.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

In order to ensure the malware is granted these rights, the request for permissions will repeatedly appear every few seconds even if the user attempts to reject or ignore it, a tactic designed to ensure the victim gives into the demand.

Once this request has been met, the malware immediately sets itself as the default SMS application in order to steal all incoming messages and send them and details of the sender to the attacker.

By setting itself as the default messaging app, Asacub can withdraw funds from phones running an application used by one of Russia's largest banks. This banking application allows for money to be exchanged via SMS, and to steal money, Asacub sends another phishing message to the device asking for a transfer.

The malware's ability to read messages also means it can intercept text messages from the bank containing one-time passwords, helping the attackers to steal from accounts that use additional security.

In addition, Asacub ensures the user can't check their mobile banking balance or change any settings because the permissions it has been given enables it to prevent the legitimate banking app from running on the phone.

The attacks might seem basic, but they still work, and Kaspersky figures say Asacub currently accounts for 38 percent of mobile banking trojan attacks

"The example of the Asacub Trojan shows us that mobile malware can function for several years with minimal changes in its distribution pattern," Shishkova told ZDNet.

"One of the main reasons for this is that the human factor can be leveraged through social engineering: SMS-messages look like they are meant for a certain user, so victims unconsciously click on fraudulent links. In addition, with regular change of domains from which the Trojan is distributed, catching it requires heuristic methods of detection," she added.

However, despite the prolific nature of Asacub, it's relatively simple for users to avoid becoming a victim -- researchers suggest only downloading applications from official sources and warn users not to click on suspicious links of unknown origin.


Editorial standards