Triple threat Android.Banking.L. can function as a keylogger, a banking malware and a ransomware

• The “all-in-one” malware is also capable of call forwarding and audio recording.
• The malware is designed to steal users’ credentials and other sensitive data.

A new Android malware has been discovered called Android.Banking.L. The malware is considered to be an “all-in-one” Trojan as it comes packed with numerous capabilities.

Android.Banking.L contains all the basic functionalities of a banking Trojan. It also possesses capabilities such as keylogging, call forwarding, audio recording and ransomware. Android.Banking.L is also designed to steal users’ credentials and other sensitive information.

Modus operandi

According to security researchers at Quick Heal, who discovered Android Banker, the Trojan has the ability to launch a victim’s browser with a URL received from the C2 server.

“It repeatedly opens the accessibility setting page until the user switches ON the ‘Accessibility Service’. The Accessibility Service allows the Trojan to enable and abuse any required permission without user concern,” Quick Heal researchers wrote in a blog. “The main APK file is highly obfuscated and all strings are encrypted. It also contains the extra junk code to make it difficult for reverse engineering.”

How it works

The malware is capable of checking whether a user’s Google Play protection service is on or off. Android Banker sends a fake alert to disable Google Play’s protection service, if it is on. The malware also encrypts all files and displays a ransom note on the screen.

The new malware indicates that cybercriminals are continuing to tweak malware, adding more capabilities to expand their attack vector. To stay safe from such powerful malware, Android users are recommended to use mobile sandbox solutions.