An unknown Android banking trojan has been tracked; the trojan has targeted users of the Spanish financial services company BBVA.
The malware, assumed to be in the nascent stages of development, came up first on June 15, 2022, and spread through phishing campaigns.
“The name Revive has been chosen since one of the functionalities of the malware (called by the [threat actors] precisely ‘revive’) is restarting in case the malware stops working, Cleafy researchers Federico Valentini and Francesco Iubatti said in a Monday write-up.
Available for download from bad phishing pages (“bbva.appsecureguide[.]com” or “bbva.european2fa[.]com”) as a lure to trick users into downloading the app.
It lures the users into downloading the app, the malware copies the bank’s two-factor authentication (2FA) app, and it derives a lot of features from the open-source spyware Teardroid. The authors usually alter the original source code to include new features.
Other banking malware target several financial apps, but Revive is designed for a specific target: BBVA bank. However, it’s the same as other trojans as it uses Android’s accessibility services API to meet its operational objectives.
Revive mainly steals the bank’s login credentials using similar pages and take over attacks. It takes in a keylogger module to get keystrokes and intercept the SMS messages received on the infected devices—primarily one-time passwords and 2FA codes sent by the bank.
“When the victim opens the malicious app for the first time, Revive asks to accept two permissions related to the SMS and phone calls,” the researchers said. “After that, a clone page (of the targeted bank) appears to the user and if the login credentials are inserted, they are sent to the [command-and-control server] of the TAs.”
The findings once again underscore the need to exercise caution when it comes to downloading apps from third-party untrusted sources. The abuse of sideloading has not gone unnoticed by Google, which has implemented a new feature in Android 13 that blocks such apps from using accessibility APIs.