SlemBunk malware for Android is stealing Bank details

Android users all over the world have been falling victims to a new type of malware that the cybersecurity firm FireEye is calling SlemBunk. The dangerous malware is a type of Trojan that (having been launched for the first time) runs in the background at all times – ready to steal the banking credentials of unsuspecting Android users,

‘When the app is launched for the first time, it activates the registered receiver, which subsequently starts the monitoring service in the background.’

According to FireEye, the nasty payload gets onto Android systems by posing as either an update for popular messaging software WhatsApp or a Flash update (that users have been picking up at purposefully infected pornography websites.) Once downloaded, the malicious software has the capability to pose as legitimately initiated banking apps thereby stealing one time passwords, login details and other sensitive online banking details.

So far, the malware has been analysed by researchers (in real world cases) around 170 times. During that time, FireEye has noticed that the software’s developer has been carefully updating the Trojan to successfully mimic a growing number of financial institution’s systems.

The most recent update that FireEye has discovered is feared to be able to steal user inputted data from the legitimate apps of up to 31 different banks and two mobile payment service providers. Alarmingly, SlemBunk has been found guilty of stealing banking details from Android users in the US, Europe and Asia Pacific (including targeting many Australian banks) – making it a dangerously widespread cyber attack.

According to researchers at FireEye the trojan’s sophistication makes it very hard to detect. Primarily because the criminal developer has taken a lot of care to make it seem legitimate,

‘We noticed the SlemBunk authors have invested time in making sure that the look and feel of the phishing UI closely resemble that of the original. In some instances, the phishing interface requests that the user types in their credentials twice rather than once. It also forces the user to go through a fake verification process, which we suspect is to increase the user’s confidence in its authenticity.’

It would also appear that the cybercriminal that developed SlemBunk is interested in more than just financial gains. The new class of Trojan having also been found to be stealing the login details of many popular Android apps – ‘Including popular social media apps, utility apps and instant messaging apps’ – the firm says. Other details that have so far been stolen by the Trojan include telephone numbers, installed apps list, device model and OS version, revealing the great depth and breadth of information that the sophisticated malware is taking.

Describing the technical details about how the software works, FireEye explains that ‘the core objective of SlemBunk is to phish for authentication credentials – primarily for financial institutions – by pushing a fake login interface when a specified app is running in the foreground.’ It achieves this by sending user inputted data back to a remote ‘Command and Control’ (CnC) server – which FireEye has discovered is altering its location over time.

The CnC server communicates and controls the malware remotely via HTTP and SMS enabling it to get ‘regular status reports’ amongst other command controls. Another problem is that the malware takes on administrator privileges making the malware extremely stubborn and successful at its primary job of phishing.

As is always the case when malware like this pops up, users are advised to take care of where they get their apps from – as well as which websites they choose to frequent. If you do visit any sites that you fear may have become infected by a cyber criminal, be aware, and be careful to avoid mistakenly accepting any malware posing as a Flash update. Instead, always update your version of Flash from the correct distributor Adobe. If you stick to these rules (and like FireEye rightly suggests) keep to proper App stores – also making sure to regularly update your version of Android – you should be able to avoid the dangers posed by SlemBunk.


Ray Walsh I am a freelance journalist and blogger from England. I am highly interested in politics and in particular the subject of IR and I am an advocate for freedom of speech, equality and personal privacy. On a more personal level I like to stay active, love snowboarding, swimming and cycling, enjoy seafood and love to listen to trap music.

Related Coverage


Leave a Reply

Your email address will not be published. Required fields are marked *