March 31, 2021

BancaMarStealer

How Lookout Detects and Protects Against Banking Trojan and Malware Campaigns

Lookout Security Intelligence teams are continuously discovering and researching new threats to protect and advise our customers. We do this by combining static and dynamic analysis with our machine learning engine. Devices with Lookout installed can detect and be alerted when BancaMarStealer is present. Lookout admins can create policies that block access to corporate resources until the malware is removed from the infected device.

Key Findings

  • This banking trojan can be very effective when combined with social engineering and mobile phishing.
  • As a highly customizable piece of malware, it can be used to target employees or customers of any organization.
  • The total number of samples has grown almost 10 times in three years.

Background and Discovery Timeline

The Lookout Threat Intelligence team discovered BancaMarStealer, a mobile trojan malware family designed to phish the victim’s login credentials for banking and other services. Since initially being announced by Lookout in 2018, the number of observed samples of BancaMarStealer has grown from 7,700 to over 74,000 as of April 2021.

Capabilities and Affected Parties

BancaMarStealer is a mobile-specific banking trojan that serves as a perfect example of malware-as-a-service (MaaS). Out of the box, it can be configured to target specific banks, or any online service, communicate with specific command and control servers, and support a wide range of remote commands. It is delivered to the victim via SMS in a message that prompts the user to download a custom app. This makes it highly effective in social engineering campaigns.

Since it’s a highly customizable piece of malware, BancaMarStealer continuously evolves and has become one of the most robust banking trojans seen to date. In addition to being able to steal login credentials through screen overlays, it also has the following capabilities:

Authors

Lookout

Cloud & Endpoint Security

Lookout is a cybersecurity company that makes it possible for tens of millions of individuals, enterprises and government agencies to be both mobile and secure. Powered by a dataset of virtually all the mobile code in the world -- 40 million apps and counting -- the Lookout Security Cloud can identify connections that would otherwise go unseen and predict and stop mobile attacks before they do harm. The world’s leading mobile network operators, including AT&T, Deutsche Telekom, EE, KDDI, Orange, Sprint, T-Mobile and Telstra, have selected Lookout as its preferred mobile security solution. Lookout is also partnered with such enterprise leaders as AirWatch, Ingram Micro, Microsoft, and MobileIron. Headquartered in San Francisco, Lookout has offices in Amsterdam, Boston, London, Sydney, Tokyo, Toronto and Washington, D.C.

Entry Type
Threat Guidances
Threat Type
Malware
Threat Type
Crimeware
Platform(s) Affected
Threat Guidances
Malware
Crimeware

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell