{"id":2700,"date":"2021-06-28T11:15:40","date_gmt":"2021-06-28T09:15:40","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=2700"},"modified":"2026-06-08T22:31:19","modified_gmt":"2026-06-08T22:31:19","slug":"ursnif-android-apps","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/ursnif-android-apps\/","title":{"rendered":"Ursnif and Android APPs"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">In recent weeks, an Ursnif malware campaign has been detected targeting Italian users who utilize online banking services.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Once the victim&#8217;s computer is infected, Ursnif waits for the user to connect to their online banking site and through a <strong>web injection<\/strong> notifies users that they will no longer be able to use the service unless they download a security app. <br>This app can be downloaded by scanning the QR code displayed on the page.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/images-cdn.welcomesoftware.com\/Zz1jMWFiZGYwOGM5MjYxMWViYTAyYjFkZjRmNWUxMDE2Mw==\" alt=\"\" \/><figcaption>Source:  <a href=\"https:\/\/securityintelligence.com\/posts\/ursnif-cerberus-android-malware-bank-transfers-italy\/\">Ursnif Leverages Cerberus Android Malware to Automate Fraudulent Bank Transfers in Italy (securityintelligence.com)<\/a> <\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">When the user scans the QR code with their mobile device, a web browser opens containing a <strong>fake Google Play page<\/strong> displaying a logo corresponding to the banking app of the bank the victim originally attempted to access.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The addresses used to host the fake Google Play page exploit <strong>typo-squatting<\/strong> to appear legitimate to the user:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>google.servlce.store<\/li><li>gooogle.services<\/li><li>goooogle.services<\/li><li>play.google.servlce.store<\/li><li>play.gooogle.services<\/li><li>play.goooogle.services<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The downloaded app is actually <strong>Cerberus<\/strong>, which, to continue displaying coherent information, takes into account the name of the bank in which the victim attempted to log in.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In the background, the injection associates the phone number entered by the victim with the Ursnif ID assigned to the infected computer, the bank name, and the credentials used by the victim to log in. <br>Cerberus is used solely as a component to bypass SMS verification codes. The fraudulent transaction itself occurs through the infected computers.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Communication with C2 Servers<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Communications with command and control (<strong>C2<\/strong>) servers occur through the <strong>Jambo script<\/strong>, which communicates with srv_dom, the malware injection server used to manage man-in-the-browser activity. <a href=\"https:\/\/fortgale.com\/en\/managed-detection-and-response\/\">Managed Detection and Response<\/a> capabilities enable detection of such C2 communications through behavioral analysis and network traffic inspection.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/images-cdn.welcomesoftware.com\/Zz00MmNjYmQ3OWM5MjcxMWViOGU0ZDE5Mjc3ZTM2ZDNjOA==\" alt=\"\" \/><figcaption>Source:  <a href=\"https:\/\/securityintelligence.com\/posts\/ursnif-cerberus-android-malware-bank-transfers-italy\/\">Ursnif Leverages Cerberus Android Malware to Automate Fraudulent Bank Transfers in Italy (securityintelligence.com)<\/a> <\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The following commands are used during infection: <\/p>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table class=\"\"><tbody><tr><td><strong>Command<\/strong><\/td><td><strong>Description<\/strong><\/td><\/tr><tr><td>ADD_INFO<\/td><td>Send data to C2: token, SMS content, telephone, download an application.<\/td><\/tr><tr><td>ASK<\/td><td>Send communication to the C2.<\/td><\/tr><tr><td>GET_DROP<\/td><td>Check account balance on the victim&#8217;s bank account.<\/td><\/tr><tr><td>GOOD_TRF<\/td><td>Attempt to initiate a money transfer transaction.<\/td><\/tr><tr><td>LOGIN<\/td><td>Send victim&#8217;s login information to attacker&#8217;s C2 server.<\/td><\/tr><tr><td>PING<\/td><td>Check if the infected machine is currently online.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">IBAN Substitution<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Ursnif seeks to automate transactions originating from the browser. To accomplish this, it performs a substitution between the IBAN and BIC of a legitimate transaction with the IBAN of an account controlled by the attacker.<br>To initiate this flow with the fraudulent transaction, Ursnif must execute a function that must be clicked by the victim. Therefore, it replaces the login button on the original banking page with its own button containing the <strong>&#8220;hookPay()&#8221;<\/strong> function.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/images-cdn.welcomesoftware.com\/Zz02MDZjYWJhNGM5MjcxMWViYjA4ZWYzZTYzNDE1NjRmNA==\" alt=\"\" \/><figcaption>Source:  <a href=\"https:\/\/securityintelligence.com\/posts\/ursnif-cerberus-android-malware-bank-transfers-italy\/\">Ursnif Leverages Cerberus Android Malware to Automate Fraudulent Bank Transfers in Italy (securityintelligence.com)<\/a> <\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Through the <strong>&#8220;makeTrf&#8221;<\/strong> function, the IBAN substitution is executed. The amount is set only if the user&#8217;s balance exceeds 3 000 \u20ac.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/images-cdn.welcomesoftware.com\/Zz03MmUxNTBhZWM5MjcxMWViYmFhNmE3ZGJmODA0OTg4OQ==\" alt=\"\" \/><figcaption>Source:  <a href=\"https:\/\/securityintelligence.com\/posts\/ursnif-cerberus-android-malware-bank-transfers-italy\/\">Ursnif Leverages Cerberus Android Malware to Automate Fraudulent Bank Transfers in Italy (securityintelligence.com)<\/a> <\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Injections Adapted Based on Security Challenge<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Web injections have been adapted based on the security challenge adopted by each target; for example, an injection is executed to instruct the victim to enter the number displayed on the physical token.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/images-cdn.welcomesoftware.com\/Zz04MmNjZjMzMWM5MjcxMWViYjA4ZWYzZTYzNDE1NjRmNA==\" alt=\"\" \/><figcaption>Source:  <a href=\"https:\/\/securityintelligence.com\/posts\/ursnif-cerberus-android-malware-bank-transfers-italy\/\">Ursnif Leverages Cerberus Android Malware to Automate Fraudulent Bank Transfers in Italy (securityintelligence.com)<\/a> <\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Alternatively, the victim is asked to enter the code sent via SMS within 90 seconds.<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img decoding=\"async\" src=\"https:\/\/images-cdn.welcomesoftware.com\/Zz05MWQxZmM0ZmM5MjcxMWViYTRkYWQ5NmQ1NmRmMDUzNQ==\" alt=\"\" width=\"503\" height=\"361\" \/><figcaption>Source:  <a href=\"https:\/\/securityintelligence.com\/posts\/ursnif-cerberus-android-malware-bank-transfers-italy\/\">Ursnif Leverages Cerberus Android Malware to Automate Fraudulent Bank Transfers in Italy (securityintelligence.com)<\/a> <\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">A loading GIF is then displayed to the victim. <br>To prevent user action, a maintenance notice is shown, preventing the victim from accessing their account from the infected device.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/images-cdn.welcomesoftware.com\/Zz0zMTdlMjZmMGM5MjgxMWViOGU0ZTE5Mjc3ZTM2ZDNjOA==\" alt=\"\" \/><figcaption>Source: <a href=\"https:\/\/securityintelligence.com\/posts\/ursnif-cerberus-android-malware-bank-transfers-italy\/\">Ursnif Leverages Cerberus Android Malware to Automate Fraudulent Bank Transfers in Italy (securityintelligence.com)<\/a> <\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">IOCs<\/h3>\n\n\n\n<h5 class=\"wp-block-heading\">C2 Servers<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">*\/statppaa\/*<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">hxxp:\/\/sanpoloanalytics[.]org\/pp_am\/<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">*\/statmoflsa\/*<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">hxxp:\/\/sanpoloanalytics[.]org\/lancher\/<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">MD5 Gozi: b6921ce0f1b94a938acb6896cc8daeba<br>MD5 Cerberus + APK:<br>40b8a8fd2f4743534ad184be95299a8e17d029a7ce5bc9eaeb28c5401152460d<br><br><strong>Phishing domains and C&amp;C servers:<\/strong><br><br><strong>C&amp;C:<\/strong><br><a href=\"\/\/ecertificateboly.us\/lancher\/\" target=\"_blank\" rel=\"noreferrer noopener\">hxxps:\/\/ecertificateboly.us\/lancher\/<\/a><br><a href=\"\/\/sanpoloanalytics.org\/lancher\/\" target=\"_blank\" rel=\"noreferrer noopener\">hxxp:\/\/sanpoloanalytics.org\/lancher\/<\/a><br><br><strong>Phishing:<\/strong><br><a href=\"\/\/play.google.servlce.store\/store\/apps\/details.php?id=it.phoenixspa.inbank\" target=\"_blank\" rel=\"noreferrer noopener\">hxxps:\/\/play.google.servlce.store\/store\/apps\/details.php?id=it.phoenixspa.inbank<\/a><br><a href=\"\/\/play.gooogle.services\/store\/apps\/details.php?id=com.paypal.android.p2pmobile\" target=\"_blank\" rel=\"noreferrer noopener\">hxxps:\/\/play.gooogle.services\/store\/apps\/details.php?id=com.paypal.android.p2pmobile<\/a><br><a href=\"\/\/google.servlce.store\" target=\"_blank\" rel=\"noreferrer noopener\">hxxps:\/\/google.servlce.store<\/a><br><a href=\"\/\/gooogle.services\" target=\"_blank\" rel=\"noreferrer noopener\">hxxps:\/\/gooogle.services<\/a><br><a href=\"\/\/goooogle.services\" target=\"_blank\" rel=\"noreferrer noopener\">hxxps:\/\/goooogle.services<\/a><br><a href=\"\/\/play.google.servlce.store\" target=\"_blank\" rel=\"noreferrer noopener\">hxxps:\/\/play.google.servlce.store<\/a><br><a href=\"\/\/play.gooogle.services\" target=\"_blank\" rel=\"noreferrer noopener\">hxxps:\/\/play.gooogle.services<\/a><br><a href=\"\/\/play.goooogle.services\" target=\"_blank\" rel=\"noreferrer noopener\">hxxps:\/\/play.goooogle.services<\/a><br><br><strong>IP addresses:<\/strong><br><br>SOCKS Proxy:<br>37.120.222.138:9955<br><br>VNC:<br>194.76.225.91<br><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ursnif banking trojan extending its operation to Android: malicious APK delivery, second-stage capabilities, overlay attacks and detection considerations.<\/p>\n","protected":false},"author":1,"featured_media":2489,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3150,3153,3151,3152,368],"class_list":["post-2700","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-android-malware","tag-apk","tag-banking-trojan","tag-mobile-threats","tag-ursnif"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2700","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=2700"}],"version-history":[{"count":1,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2700\/revisions"}],"predecessor-version":[{"id":9853,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2700\/revisions\/9853"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=2700"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=2700"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=2700"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}