Greenbean Banking Trojan Targets Android Users

Greenbean, identified as a banking trojan, specifically targets Android operating systems and has been in existence since at least 2023. This malicious software is designed to focus on acquiring banking and finance-related information, with indications suggesting its primary focus on users in Vietnam and China.

Similar to many trojans targeting Android devices, Greenbean exploits Android Accessibility Services, which are intended to assist users with interacting with their devices. These services have the capability to manipulate various aspects of the device, such as reading the screen, simulating touchscreen and keyboard actions, interacting with dialogue boxes, and locking/unlocking the device. Exploiting these services grants full capabilities to programs like Greenbean.

Upon infiltration, Greenbean prompts the user to grant Accessibility permissions. Once these permissions are obtained, the trojan elevates its privileges and initiates the collection of pertinent information, including device and network data, installed applications, contact lists, and SMS data.

Greenbean exhibits the ability to download files and images, as well as extract content from the clipboard. While it can send SMS messages, it has not been employed for Toll Fraud as of the current writing.

Additionally, the trojan possesses the capability to capture screenshots and, notably, can stream the infected device's screen and the view from the phone's cameras.

The primary objective of this malware is to obtain personally identifiable information, login credentials, and financial data from victims. It specifically targets applications such as Gmail, WeChat, AliPay, MyVIB, MetaMask, and Paybis. Greenbean can redirect outgoing monetary transactions by altering receiver details, and in some instances, it may initiate these transactions without the victims' input.

How Are Android Malicious Apps Usually Distributed?

Android malicious apps are typically distributed through various methods, often leveraging deceptive tactics to trick users into installing them. Some common distribution methods include:

Third-party App Stores: Malicious apps may be hosted on third-party app stores outside of the official Google Play Store. Users might be prompted to download apps from these unofficial sources, increasing the risk of encountering malware.

Phishing Websites: Cybercriminals create fake websites or advertisements that mimic legitimate app download pages. Unsuspecting users may be directed to these phishing sites and unknowingly download malicious apps.

Malvertising: Malicious advertising, or malvertising, involves placing harmful code within online advertisements. Clicking on these ads or visiting compromised websites can lead to the automatic download and installation of malicious apps.

Email and Messaging: Malicious apps can be distributed through phishing emails or messages containing links to download infected applications. These messages often use social engineering techniques to trick users into clicking on the provided links.

SMS and MMS: Some malware is distributed via text messages or multimedia messages containing links to download malicious apps. This method, known as "smishing," aims to deceive users into installing harmful applications.

Fake System Updates: Cybercriminals may create fake system update notifications that prompt users to download and install updates outside of the official channels. These fake updates often contain malware.

Infected Websites: Visiting compromised websites or clicking on malicious links can lead to the automatic download of harmful apps. Drive-by downloads occur when malware is downloaded without the user's knowledge during the visit to a compromised site.