Catelites Android Malware Poses as 2,200 Bank Apps

Another day another Android malware. This time, according to a joint research conducted by security firms SfyLabs and Avast Threat Labs, there is a new Android malware strain that can pose as not a hundred or two but nearly 2,200 banks to steal passwords and carry out fraud. The malware, dubbed as Catelites Bot, can pose as Santander and Barclays banks as well.

The malware has potential links to the infamous Russian gang who managed to infect over a million devices using the CronBot Trojan and make a whopping $900,000. This gang, however, was dismantled recently.

What does Catelites Bot do

The malware can get installed on an android device in more than one ways such as via fake, malicious applications available at third-party app stores or phishing websites. It may also get installed with malicious malware. Catelites can intercept texts, lock the mobile phone, delete device data, access phone numbers, modify speaker volume, spy on message conversations and force password unlocks.

After being downloaded, an icon titled System Application appears on the screen. When the user clicks on this icon, the software asks for admin rights. In case the victim grants these permissions, the icon disappears and the real job of Catelites Bot starts. Now the screen displays three trustable app icons of Gmail, Google Play, and Chrome. And then the malware looks for credit card information.

Catelites android malware poses as 2,200 bank apps to steal financial data
Fake icon on an infected device (Image credit: Avast)

When the victim opens any of these three new icons, a fake overlay appears asking for sensitive financial information. Considering that the icons are of reliable apps, a majority of users will fall prey to this trap and enter the required data. However, if the user suspects foul play then attackers have another trick mechanism in place; the overlay will be present on the top of the screen so that the user tries to get rid of it by providing the required information.

Stealing your banking data

The primary objective of the malware is to obtain bank account login details. Since the malware can pose as most of the top tier banks and financial institutions, therefore, users are bound to be deceived. When banking app is opened, the malware produces a fake overlay in place of the authentic banking app screen and the user may not know that it is not the real bank app where he or she is entering bank login credentials and credit card information. When this is done, attackers can easily access your bank account and credit card.

Catelites android malware poses as 2,200 bank apps to steal financial data
App asking for credit card data (Image credit: Avast)

In their blog post, security experts stated that CronBot and Catelites are quite similar to each other. According to Nikolaos Chrysaidos from Avast:

“While we don’t have any evidence that the Catelites Bot actor is linked to CronBot, it is likely that Catelites members have gotten their hands on the Cron malware and repurposed it for their own campaign.”

“The malware has the ability to automatically and interactively pull Android banking applications’ logos and names from Google Play Store. While the manipulative mobile banking screens don’t resemble the original banking apps, the power lies within the malware’s shotgun approach: Targeting millions of users of thousands of banks to increase the likelihood a few victims will fall for the trick,” added Chrysaidos.

You can stay protected by using an updated anti-virus for Android devices. If you don’t have it then boot the phone into safe mode to ensure that the malware is not installed. If you find any suspicious apps, immediately delete them. Also, remember never to grant admin rights to a program or app unless you are completely sure about the authenticity of the app.

Moreover, as we always recommend, never download apps from third-party app stores and only use authentic platforms like Google Play. Whenever you open your bank app, try to find out if the app is behaving normally or not and if you suspect something then immediately close it.

The malware is identified in Russia until now but experts believe that this is just a testing stage and the attackers will most probably try to spread it to other parts of the world to target banks worldwide. Until now, approx. 9,000 users have been targeted.

Source: Avast


Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.