Key Takeaways 

• A novel Android Banking Trojan, “Greenbean”, is being disseminated through a phishing site promoting a cryptocurrency scheme. 
• The malware is designed to target five applications across cryptocurrency, payment, and banking platforms. 
• Evidence from the application’s name and the presence of Chinese and Vietnamese characters in the target code indicates that the malware is specifically aimed at Android users in China and Vietnam. 
• The malware predominantly relies on the Accessibility service to gather credentials from the targeted applications. 
• An additional feature of the Greenbean malware is its incorporation of video streaming using WebRTC. 
• At the time of publishing the blog, the phishing site was operational, suggesting that the malware remains active in the wild. 
• The malware utilizes the open-source Simple Realtime Server (SRS) project for its Command and Control (C&C) server, which supports WebRTC streaming. 

Overview 

In October 2023, Cyble Research and Intelligence Labs (CRIL) identified a new Android Banking Trojan named Enchant that specifically targets cryptocurrency users in China. More recently, another Android Banking Trojan featuring a video streaming and screen reading capability has been detected, focusing on targeting cryptocurrency users in China and Vietnam since August 2023. 

CRIL has observed that this Banking Trojan is being disseminated through a phishing site, “hxxp://antlercryptop[.]com/,” which promotes a cryptocurrency scheme. Additionally, the malware is distributed via an Amazon AWS hosting service URL, namely “hxxps://hkccg[.]s3.ap-southeast-1.amazonaws.com/app-relea.apk.” 

Figure 1 – Phishing site distributing malware 

When the “Download” button is clicked on the phishing site, it triggers the download of the “AntlerWeath.apk” file from the URL “hxxps://delown[.]s3.ap-east-1.amazonaws.com/AntlerWealth.apk.” 

The downloaded malicious file “AntlerWeath.apk” exploits the Accessibility service to illicitly acquire credentials from the Metamask wallet and engages in screen streaming activities. Furthermore, we identified more samples related to this Banking Trojan, focusing on additional applications incorporating extra code to gather Personally Identifiable Information (PII). The following is a list of applications targeted by the malware: 

• com.eg.android.AlipayGphone (AliPay) 
• com.tencent.mm (WeChat) 
• com.vib.myvib2 (MyVIB) – Bank from Vietnam 
• com.google.android.gm (Gmail) 
• com.paybis (Paybis) 

The Banking Trojan has the following capabilities: 

• Steals screen content 
• Video Streaming  
• Performs automatic gestures 
• Steals credentials from targeted applications 
• Collect PII data 

In all the identified samples, we observed a consistent use of the package name “org.icecream.greenbean”, which encompasses malicious code. Due to the uniformity in employing this package name across all samples, we are referring to this malware as “Greenbean” throughout this analysis. 

Figure 2 – Common package name used across all identified samples 

The Greenbean malware establishes communication with the Command and Control (C&C) server located at “hxxp://18.166[.]228.126”. The C&C server utilizes Simple Realtime Server (SRS), an open-source project accessible on GitHub. SRS supports webRTC, which the malware employs for screen streaming. SRS is recognized for its simplicity, high efficiency, and real-time video server capabilities. 

Figure 3 – Malware uses SRS open source project for C&C communication 

In the technical analysis section, we have examined a sample identified by the hash value “d221a8d19d112f34a097b4bdc825a1963f8180fa8b57855a232e9a15dc4f7153.” This sample was uploaded to VirusTotal on January 16, 2023, under the file name “test.apk.” This file seems to be a test version with additional functionalities compared to the APK file obtained from the phishing site. A comprehensive analysis of the Android Banking Trojan is provided in the following section. 

Technical Analysis 

APK Metadata Information

• App Name: Test 
• Package Name: com.missdong 
• SHA256 Hash: d221a8d19d112f34a097b4bdc825a1963f8180fa8b57855a232e9a15dc4f7153 

Figure 4 – Application metadata information 

Upon installation, the malware prompts users to enable overlay permission and Accessibility Service. Upon granting these permissions, the malware exploits them by automatically granting additional required permissions. This initial procedure, involving prompting for accessibility service and autogranting permissions, is a fairly common trend observed in several banking trojans. 

Command and Control (C&C) communication 

Once the Greenbean malware has acquired the necessary permissions, it initiates a WebSocket connection using the URL “hxxp://testapp[.]srslivestream.com:19001/monitor/ws” to establish communication between the server and the client. 

Figure 5 – WebSocket connection 

The Greenbean malware executes two categories of commands: the first set of commands received by the client from the server starts with “C” followed by number, and the second set of commands initiated by the client and sent to the server, beginning with “R” followed by numbers. Figures 5 and 6 provide examples of these command sets. 

Figure 6 – Example of the first set of instructions sent by the server to the client 

Figure 7 – Example of the second set of instructions sent by the client to the server 

The first set of commands has been listed below: 

The second set of commands is as follows: 

Targeting payment, cryptocurrency, and banking applications 

As previously stated, the malware specifically focuses on five applications associated with payments, cryptocurrencies, and banking. It employs Accessibility services to discern the components within these applications that pertain to payment processes, account balances, and transactions. 

The following illustration depicts an instance involving the WeChat application. The malware, employing accessibility services, scans the active window for the ¥ currency symbol and attempts to retrieve the amount to be transferred. Similarly, it examines the presence of the Chinese words “向” (translating to “towards”) and “转账” (translated to “transfer”) to determine the recipient of a money transfer. Moreover, the malware can modify information within the fields associated with the recipient as it can receive the command “C20” along with the corresponding input data. Using this feature, malware may transfer the money from the victim’s account to the Threat Actor’s account, leading to financial loss to the victim.  

Figure 8 – Malware fetched amount and recipient information 

The malware sends the fetched amount and recipient details, along with the package name, process ID, and the x and y coordinates of the elements extracted from the screen, to the C&C server using the command “R21”. 

Figure 9 – Sends stolen data from the targeted application to the C&C server 

Screen Reader 

Immediately after the victim grants permission, the malware initiates the process of extracting information from the screen. This involves text fields, search boxes, edit texts, and any data entered by the victim. The malware also monitors the position of elements displayed on the screen by tracking each node through the Accessibility service. Subsequently, it transmits this collected data to the C&C server using the “R30” command. The code presented in the figure below is utilized to extract the content of the nodes. 

Figure 10 – Code used to read content from the screen 

The figure below illustrates a C&C request initiated by the malware using the “R30” command to send the screen content of the current window. TAs can use the stolen screen content to exfiltrate credentials or other sensitive information.  

Figure 11 – C&C request sending screen content 

Video Streaming Using WebRTC 

Greenbean has incorporated a video streaming capability through the utilization of WebRTC, an open-source project facilitating real-time communication in web browsers and mobile applications. Using this video streaming feature, malware can keep an eye on a victim’s action and also can collect sensitive information. 

Our observations reveal that the malware performs WebRTC-related tasks in response to commands received from servers labeled as “C31,” “C32,” “C33,” and “C34.” Each of these server commands corresponds to a specific action related to WebRTC. The following is a description of each action: 

The following code illustrates the actions described above related to live streaming using WebRTC. 

Figure 12 – Code used for executing actions related to webRTC streaming 

As depicted in Figure 11, the malware employs two URLs for WebRTC streaming: 

• webrtc://18[.]166.288.126/merchant001/(device_id) – This URL is utilized by the malware to transmit streams when triggered by the “start_sharing” action. 
• webrtc://18[.]166.288.126/merchant001/(device_id)_camera – The URL ending with “_camera” is employed by the malware in response to the “start_camera” action. 

Upon analyzing both actions, we observed that Greenbean Trojan utilizes the same WebRTC method responsible for video streaming. However, it was challenging to precisely distinguish between these two actions. Despite this, the malware effectively implemented the live streaming feature, as evidenced by entries in the test SRS panel related to both actions, as shown in the figure below. 

Figure 13 – Live streaming entries present on the SRS panel 

Collects Data from the Infected Device 

Apart from above mentioned features, Greenbean executes below functions: 

• Collects Contact list and SMS list 
• Steals clipboard content 
• Capture screenshots 
• Steals files  
• Collects device information 
• Collects network information 
• Steals installed application list 
• Collects photos 

Conclusion 

The analysis of the Greenbean malware reveals a sophisticated and multifaceted threat, primarily targeting payment, cryptocurrency, and banking applications. Its ability to exploit permissions, establish covert communication channels, and execute a range of commands poses a significant risk to the privacy and security of infected devices. 

The integration of WebRTC for video streaming adds a new dimension to the malware’s capabilities, allowing attackers to monitor victims in real time. The extensive list of commands, including the extraction of sensitive information, SMS collection, and live streaming, underscores the malicious intent behind this threat. 

Certain commands within this version of the malware have been left unimplemented, creating a possibility that a new variant might emerge with additional targets and features. Although the current instances of identified samples in the wild are relatively limited, the malware’s capabilities suggest the potential for an increase in the campaign’s prevalence in the days to come. 

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

• Only install software from official app stores such as the Play Store or the iOS App Store.  
• Using a reputed antivirus and internet security software package is recommended on connected devices, including PCs, laptops, and mobile. 
• Use strong passwords and enforce multi-factor authentication wherever possible.  
• Be careful while opening links received via SMS or emails sent to your mobile device.  
• Google Play Protect should always be enabled on Android devices.  
• Be wary of any permissions that you give an application.  
• Keep devices, operating systems, and applications up to date. 

MITRE ATT&CK® Techniques 

Indicators of Compromise (IOCs) 

Related