A previously unknown Android banking Trojan has been discovered in the wild, targeting users of the Spanish financial services company BBVA.
Said to be in its early stages of development, the malware – dubbed Revive by Italian cybersecurity company Cleafy – was first observed on June 15, 2022 and distributed through phishing campaigns.
“The name Revive was chosen because one of the features of the malware (called by the [threat actors] precisely ‘revive’) restarts in case the malware stops working,” Cleafy researchers Federico Valentini and Francesco Iubatti said in a Monday article.
Available for download from scam phishing pages (“bbva.appsecureguide[.]com” or “bbva.european2fa[.]com”) in order to trick users into downloading the app, the malware poses as the bank’s two-factor authentication (2FA) app and is believed to be inspired by an open-source spyware called Larmoidthe authors tweaking the original source code to incorporate new functionality.
Unlike other banking malware known to target a wide range of financial applications, Revive is designed for a specific target, in this case BBVA bank. That said, it is no different from its counterparts in that it leverages Android’s Accessibility Services API to achieve its operational goals.
Revive is primarily designed to harvest bank login credentials through the use of similar pages and facilitate account takeover attacks. It also integrates a keylogger module to capture keystrokes and the ability to intercept SMS messages received on infected devices, mainly one-time passwords and 2FA codes sent by the bank.
“When the victim first opens the malicious app, Revive asks to accept two permissions related to text messages and phone calls,” the researchers said. “After that, a clone page (of the targeted bank) appears to the user and if the login credentials are inserted, they are sent to the [command-and-control server] TAs.”
The findings once again underscore the need for caution when it comes to downloading apps from untrusted third-party sources. Sideloading abuse has not gone unnoticed by Google, which has implemented a new feature in Android 13 that prevents these apps from using accessibility APIs.