Cron-Linked Malware Impersonates 2200 Banking Apps
Cron-Linked Malware Impersonates 2200 Banking Apps

We all know very well that paying for purchases with your mobile is very convenient. But in most situations, the advantages have some drawback. Once again, cybercriminals focus their efforts on this type of users thanks to the Cron banking Trojan.

Cron-Linked Malware Impersonates 2200 Banking Apps

Paying for purchases with your mobile is very convenient. The possibility of accessing the existing account in our bank and making the arrangements allows us not to depend on a desktop or laptop. But in most situations, the advantages have some drawback. Once again, cybercriminals focus their efforts on this type of users thanks to the Cron banking Trojan.

How does this threat work?

It has two objectives, it simply steals the credentials that allow the information of the accounts and the data associated with the credit cards. Above all, at this time, cybercriminals know that users use this form of payment in a special way. Security experts link this threat to the group of cybercriminals Cron.

It is not a threat that we can consider new. Earlier this year, its owners were able to get an amount close to $900,000.

The routes of diffusion do not vary in excess. Security experts from the company Avast confirm that they are using unofficial application stores to distribute this banking Trojan. They are making it happen through legitimate applications.

If the user has installed this threat on their terminal, they will find that the application’s login form for their bank entity may not be the original.

When the user installs the application, it is identified as System Application. At the time of installation, the user is required to approve a large number of permits. That should be the key to continue or cancel the process.

The initial operation is to run in the background and wait for the user to execute an application of the existing ones on its list. Superimpose a form to the legitimate one. The user is not aware that he/she is entering the information into elements that do not correspond to the legitimate form of the application that he/she is using.

The result: When you press the login button, the information is collected on servers owned by cybercriminals. A very effective strategy that allows cybercriminals to cover a large number of applications, but without excessive effort.

Other similar attacks

This threat already appeared at the beginning of the year with a quite satisfactory result for the cybercriminals. The reality is that not only this threat makes use of this practice. LokiBot, Red Alert and Exobot are three examples that have an operation similar to the one in this article. All of them share the same way of acting when it comes to stealing information.

The best way to know if our device is affected is to look in the application manager for the System Application app. If it is installed we should find it running. The uninstallation is not complicated and it is not necessary to move to the safe mode of the operating system to complete the process satisfactorily.

So, what do you think about this threat? Simply share your views and thoughts in the comment section below.



AUTHOR