Home News Wroba Trojan Resurfaces, Targets U.S. Users

Wroba Trojan Resurfaces, Targets U.S. Users

Android Trojan, Trojan, ReverseRat, Numando Banking Trojan

For the most part, Wroba Trojan activities were limited to the Asian countries. But very recently, researchers at Kaspersky Labs are seeing the mobile banking Trojan now targeting Android and iPhone users in the U.S with fake package-delivery notification. According to Kaspersky, during the Wroba Trojan campaign cybercriminals try to lure customers by sending them a text message. The message reads, “Your parcel has been sent out. Please check and accept it.”

Once an unsuspecting user clicks on the link, it goes either of the two ways depending on the OS on the mobile device.

If a user of an Android device clicks “OK,” they are redirected to a malicious site that reads, “Your browser is out-of-date and needs to be updated.” If the user clicks “OK,” the malicious application is downloaded onto the device. For iPhone users, the download doesn’t work. Instead, the iPhone users are greeted with a phishing page designed to look like Apple’s login page — in a bid to steal the credentials of the users.

Once the Trojan is installed on a device, it can perform several nefarious activities like sending fake SMSs, access financial transaction data, check installed packages, and steal contact list and credentials for financial data.  According to Kaspersky, Wroba belongs to a family of malware that attempts to steal mobile banking accounts as well as one-time passwords sent by banks for client authentication.

Related News: FBI Warns About Fake Mobile Banking Apps, Trojans

Geographical distribution of attacks by the Trojan-Banker.AndroidOS.Wroba family

According to Malwarebytes, associated families of the mobile bank Trojan include:

  • Trojan.Bank.Marcher
  • Trojan.Bank.Perkel
  • Trojan.Bankun
  • Trojan.Spy.FakeBank
  • Trojan.Spy.FakeKRBank
  • Trojan.Spitmo
  • Trojan.Zitmo
What is Wroba Trojan?

For the uninitiated, Wroba is not altogether a new malware. Back in 2013, Wroba Trojan masqueraded itself as a legitimate application on Google Play Store. Also known as FunkyBot, Wroba had mainly targeted users in Korea, China, Russia, Japan, and other countries in the APAC region.

What is a Trojan horse?

A Trojan horse or Trojan is a malicious program or malicious code disguised to look like a popular or legitimate application. Unlike viruses, Trojans cannot replicate and spread on their own, but depending on user action for infecting other systems. The user has to open the Trojan application for it to spread.

What is malware?

Malware is a generic or collective term for malicious software code. It includes viruses, Trojans, ransomware, and spyware. Typically malware is delivered as a link in email or as an email attachment. Clicking the link will lead to a malicious website. Opening a malicious attachment will execute the malicious program or code.