Asacub Trojan Moves From Spyware to Mobile Banking Malware

Researchers with Kaspersky Lab identify how the Asacub mobile banking Trojan is making use of the same infrastructure as a Windows spyware Trojan.

Asacub mobile banking Trojan

Security firm Kaspersky Lab is warning of an evolving threat from a mobile banking Trojan, dubbed Asacub, which appears to be using infrastructure elements that the CoreBot Windows spyware Trojan employs.

Asacub emerged in June 2015 and was initially acting as an information-stealing Trojan that pilfered user contact lists and browser history. Kaspersky Lab's analysis shows that in late 2015 Asacub evolved to become a full-featured mobile banking Trojan that steals money from victims. The mobile banking evolution of Asacub includes features that enable the Trojan to show a phishing page for a banking application.

"In total, we saw attempts to infect more than 16,000 of our users, according to data from our Kaspersky Security Network," Roman Unuchek, senior malware analyst at Kaspersky Lab, told eWEEK. "It is hard to say how many users were infected because many consumers still do not have any form of antivirus protection."

For Asacub, getting onto user devices usually involves an effort to deceive the user into somehow installing a malicious application.

"They use SMS [Short Message Service] spam and phishing to force the user to install this Trojan," Unuchek said. "In most cases, it looks like an app to view images or MMS [Multimedia Messaging Service]."

Asacub targets all Android users, even those with fully patched and up-to-date devices. Although Asacub does not exploit any vulnerabilities in Android, the Trojan simply abuses the permissions it gets when the user is deceived into installing it, Unuchek said.

"Standard permissions are enough," Unuchek said. "There is no need for any extraordinary permission to overlap another app with a phishing window."

Kaspersky Lab also found that Asacub was using the same command-and-control backend infrastructure that the Windows CoreBot spyware tool employs. This is not the first time Unuchek has seen Windows malware operations use the same command-and-control infrastructure for Android malware, but it is not a common situation.

"Asacub could be Corebot's mobile version," Unuchek wrote in a blog post. "However, it is more likely that the same malicious actor purchased both Trojans and has been using them simultaneously."

Unuchek noted that Kaspersky Lab will share the details of what it discovered during the Asacub investigation with law enforcement agencies and other organizations interested in fighting cyber-threats.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.