Ubel Android Banking Botnet



Ubel Android Banking Botnet The malware was distributed through malicious SMS messages, with the attacks often conducted in real-time by posing as bank operators to dupe targets over the phone and surreptitiously gain access to the infected device via WebRTC protocol and ultimately conduct unauthorized bank transfers. While no new activities were reported since then, it appears that Oscorp may have staged a return after a temporary hiatus in the form of an Android botnet known as UBEL. Works on android versions 5 – 11. Function: 1-RAT 2-SPAM SMS 3-GET FULL CONTACT AND SEND SMS 4-GET ALL SMS 5-READ ALL SMS 6-READ ALL APPLICATIONS INSTALLED 7-IF BANKING SERVICE IS ACTIVE, YOU CAN SEE ALL BANK APPLICATIONS 8-REMOVE FROM PANEL AND UNINSTALL RAT (IF YOU WANT) 9-OPEN URL IN WEB BROWSER OR HIDDEN BROWSER 10-SOCKS5 CONNECTIONS 11-GET BANK INFO WITH MORE INJECTION he malware targets European banking applications and adds devices to its botnet. first revealed details about the

An Android malware that was observed abusing accessibility services in the device to hijack user credentials from European banking applications has morphed into an entirely new botnet as part of a renewed to masterscyber campaign that began in january 2022

Ubel Android Banking Botnet analyzing some related samples, we found multiple indicators linking Oscorp and UBEL to the same malicious codebase, suggesting a fork of the same original project or just a rebrand by other affiliates, as its source-code appears to be shared between multiple [threat actors],” Italian cybersecurity company Cleafy said Tuesday, charting the malware’s evolution

Advertised on underground forums for $980, UBEL, like its predecessor, requests for intrusive permissions that allows it to read and send SMS messages, record audio, install and delete applications, launch itself automatically after system boot, and abuse accessibility services on Android to amass sensitive information from the device such as login credentials and two-factor authentication codes, the results of which are exfiltrated back to a remote server.

Once downloaded on the device, the malware attempts to install itself as a service and hide its presence from the target, thereby achieving persistence for extended periods of time

nterestingly, the use of WebRTC to interact with the compromised Android phone in real-time circumvents the need to enroll a new device and take over an account to perform fraudulent activities.

“The main goal for this [threat actor] by using this feature, is to avoid a ‘new device enrollment’, thus drastically reducing the possibility of being flagged ‘as suspicious’ since device’s fingerprinting indicators are well-known from the bank’s perspective,” the researchers said.