BancaMarStealer

How Lookout Detects and Protects Against Banking Trojan and Malware Campaigns

Lookout Security Intelligence teams are continuously discovering and researching new threats to protect and advise our customers. We do this by combining static and dynamic analysis with our machine learning engine. Devices with Lookout installed can detect and be alerted when BancaMarStealer is present. Lookout admins can create policies that block access to corporate resources until the malware is removed from the infected device.

Key Findings

• This banking trojan can be very effective when combined with social engineering and mobile phishing.

• As a highly customizable piece of malware, it can be used to target employees or customers of any organization.

• The total number of samples has grown almost 10 times in three years.

‍

Background and Discovery Timeline

The Lookout Threat Intelligence team discovered BancaMarStealer, a mobile trojan malware family designed to phish the victim’s login credentials for banking and other services. Since initially being announced by Lookout in 2018, the number of observed samples of BancaMarStealer has grown from 7,700 to over 74,000 as of April 2021.

‍

Capabilities and Affected Parties

BancaMarStealer is a mobile-specific banking trojan that serves as a perfect example of malware-as-a-service (MaaS). Out of the box, it can be configured to target specific banks, or any online service, communicate with specific command and control servers, and support a wide range of remote commands. It is delivered to the victim via SMS in a message that prompts the user to download a custom app. This makes it highly effective in social engineering campaigns.

Since it’s a highly customizable piece of malware, BancaMarStealer continuously evolves and has become one of the most robust banking trojans seen to date. In addition to being able to steal login credentials through screen overlays, it also has the following capabilities: