This month, Cleafy’s security researchers discovered a new Android Banking Trojan in the wild.
According to reports, the malware tool has been dubbed “Revive” because of its ability to restart itself if something goes wrong.
Cleafy, in a Monday advisory, explained that Revive was created to focus on a specific set of goals (currently, Spanish banks).
Researchers say Revive’s attack methodology is similar to that of other banking trojans because the malware still makes use of accessibility services to perform keylogging activities and intercept SMS messages from the target.
The Cleafy app would ask users to grant permissions for SMS and phone calls when they first installed the app using various social engineering techniques.
Revive would then redirect users to a cloned page (of the targeted bank) and prompt them to enter their credentials once the permissions had been granted.
Additionally, any two-factor authentication (2FA) or one-time password codes (OTP) codes sent via SMS or phone call by banks would then be sent to the C2 of the threat actors (TAs).
Last but not least, Revive would direct victims to a generic home page with links to the legitimate bank’s website in order to prevent users from becoming alarmed.
Cleafy’s initial analysis of Revive’s code revealed that both of the samples obtained by Cleafy currently have a very low detection rate by Antivirus solutions (AVs).
The Revive malware appears to be based on FastAPI, a Web framework for developing RESTful APIs in Python, and sections of the code of both malware instances appear to be similar, according to the security researchers who discovered the malware.
Nevertheless, the threat actors responsible for Revive would have altered it to perform account takeover attacks after that… (ATO). Cleafy categorised Revive as a banking trojan rather than spyware because of this difference.
A few days earlier, Cleafy had upgraded the BRATA Android malware group to the category of “advanced persistent threat” (APT).