Key Takeaways
- A novel Android Banking Trojan, “Greenbean”, is being disseminated through a phishing site promoting a cryptocurrency scheme.
- The malware is designed to target five applications across cryptocurrency, payment, and banking platforms.
- Evidence from the application’s name and the presence of Chinese and Vietnamese characters in the target code indicates that the malware is specifically aimed at Android users in China and Vietnam.
- The malware predominantly relies on the Accessibility service to gather credentials from the targeted applications.
- An additional feature of the Greenbean malware is its incorporation of video streaming using WebRTC.
- At the time of publishing the blog, the phishing site was operational, suggesting that the malware remains active in the wild.
- The malware utilizes the open-source Simple Realtime Server (SRS) project for its Command and Control (C&C) server, which supports WebRTC streaming.
Overview
In October 2023, Cyble Research and Intelligence Labs (CRIL) identified a new Android Banking Trojan named Enchant that specifically targets cryptocurrency users in China. More recently, another Android Banking Trojan featuring a video streaming and screen reading capability has been detected, focusing on targeting cryptocurrency users in China and Vietnam since August 2023.
CRIL has observed that this Banking Trojan is being disseminated through a phishing site, “hxxp://antlercryptop[.]com/,” which promotes a cryptocurrency scheme. Additionally, the malware is distributed via an Amazon AWS hosting service URL, namely “hxxps://hkccg[.]s3.ap-southeast-1.amazonaws.com/app-relea.apk.”
Figure 1 – Phishing site distributing malware
When the “Download” button is clicked on the phishing site, it triggers the download of the “AntlerWeath.apk” file from the URL “hxxps://delown[.]s3.ap-east-1.amazonaws.com/AntlerWealth.apk.”
The downloaded malicious file “AntlerWeath.apk” exploits the Accessibility service to illicitly acquire credentials from the Metamask wallet and engages in screen streaming activities. Furthermore, we identified more samples related to this Banking Trojan, focusing on additional applications incorporating extra code to gather Personally Identifiable Information (PII). The following is a list of applications targeted by the malware:
- com.eg.android.AlipayGphone (AliPay)
- com.tencent.mm (WeChat)
- com.vib.myvib2 (MyVIB) – Bank from Vietnam
- com.google.android.gm (Gmail)
- com.paybis (Paybis)
The Banking Trojan has the following capabilities:
- Steals screen content
- Video Streaming
- Performs automatic gestures
- Steals credentials from targeted applications
- Collect PII data
In all the identified samples, we observed a consistent use of the package name “org.icecream.greenbean”, which encompasses malicious code. Due to the uniformity in employing this package name across all samples, we are referring to this malware as “Greenbean” throughout this analysis.
Figure 2 – Common package name used across all identified samples
The Greenbean malware establishes communication with the Command and Control (C&C) server located at “hxxp://18.166[.]228.126”. The C&C server utilizes Simple Realtime Server (SRS), an open-source project accessible on GitHub. SRS supports webRTC, which the malware employs for screen streaming. SRS is recognized for its simplicity, high efficiency, and real-time video server capabilities.
Figure 3 – Malware uses SRS open source project for C&C communication
In the technical analysis section, we have examined a sample identified by the hash value “d221a8d19d112f34a097b4bdc825a1963f8180fa8b57855a232e9a15dc4f7153.” This sample was uploaded to VirusTotal on January 16, 2023, under the file name “test.apk.” This file seems to be a test version with additional functionalities compared to the APK file obtained from the phishing site. A comprehensive analysis of the Android Banking Trojan is provided in the following section.
Technical Analysis
APK Metadata Information
- App Name: Test
- Package Name: com.missdong
- SHA256 Hash: d221a8d19d112f34a097b4bdc825a1963f8180fa8b57855a232e9a15dc4f7153
Figure 4 – Application metadata information
Upon installation, the malware prompts users to enable overlay permission and Accessibility Service. Upon granting these permissions, the malware exploits them by automatically granting additional required permissions. This initial procedure, involving prompting for accessibility service and autogranting permissions, is a fairly common trend observed in several banking trojans.
Command and Control (C&C) communication
Once the Greenbean malware has acquired the necessary permissions, it initiates a WebSocket connection using the URL “hxxp://testapp[.]srslivestream.com:19001/monitor/ws” to establish communication between the server and the client.
Figure 5 – WebSocket connection
The Greenbean malware executes two categories of commands: the first set of commands received by the client from the server starts with “C” followed by number, and the second set of commands initiated by the client and sent to the server, beginning with “R” followed by numbers. Figures 5 and 6 provide examples of these command sets.
Figure 6 – Example of the first set of instructions sent by the server to the client
Figure 7 – Example of the second set of instructions sent by the client to the server
The first set of commands has been listed below:
| Command | Description |
| C05 | Append shared preference config with the data received from the server |
| C10 | Perform gestures |
| C14 | Upload logs file |
| C15 | Sends SMSs from the infected device |
| C20 | Auto inputs the data received from the server using the Accessibility service |
| C27 | Not Implemented |
| C30 | Not Implemented |
| C31 | Captures screenshot |
| C32 | Starts sharing webRTC streams (possible screen sharing feature) |
| C33 | Stops WebRTC and camera used for video streaming |
| C34 | Stops Camera used by WebRTC |
| C40 | Switches camera and starts video streaming using WebRTC |
| C41 | Update layout with black screen window |
| C42 | Updated layout window |
| C43 | Perform key/click events |
| C88 | Saves values received from server to shared preference |
| C99 | Not Implemented |
| PING | Pings the server |
The second set of commands is as follows:
| Commands | Description |
| R10 | Sends package and application name |
| R11 | Sends installed application package name list |
| R20 | Sends Metamask application data |
| R21 | Sends stolen AliPay and WeChat data |
| R23 | Sends lock pattern |
| R24 | Sends device-related information |
| R25 | Sends SMS list |
| R26 | Sends contact list |
| R30 | Sends screen reader |
| R45 | Sends stolen data from the VibBank application |
| R50 | Sends screen OFF status |
| R51 | Sends screen ON status |
Targeting payment, cryptocurrency, and banking applications
As previously stated, the malware specifically focuses on five applications associated with payments, cryptocurrencies, and banking. It employs Accessibility services to discern the components within these applications that pertain to payment processes, account balances, and transactions.
The following illustration depicts an instance involving the WeChat application. The malware, employing accessibility services, scans the active window for the ¥ currency symbol and attempts to retrieve the amount to be transferred. Similarly, it examines the presence of the Chinese words “向” (translating to “towards”) and “转账” (translated to “transfer”) to determine the recipient of a money transfer. Moreover, the malware can modify information within the fields associated with the recipient as it can receive the command “C20” along with the corresponding input data. Using this feature, malware may transfer the money from the victim’s account to the Threat Actor’s account, leading to financial loss to the victim.
Figure 8 – Malware fetched amount and recipient information
The malware sends the fetched amount and recipient details, along with the package name, process ID, and the x and y coordinates of the elements extracted from the screen, to the C&C server using the command “R21”.
Figure 9 – Sends stolen data from the targeted application to the C&C server
Screen Reader
Immediately after the victim grants permission, the malware initiates the process of extracting information from the screen. This involves text fields, search boxes, edit texts, and any data entered by the victim. The malware also monitors the position of elements displayed on the screen by tracking each node through the Accessibility service. Subsequently, it transmits this collected data to the C&C server using the “R30” command. The code presented in the figure below is utilized to extract the content of the nodes.
Figure 10 – Code used to read content from the screen
The figure below illustrates a C&C request initiated by the malware using the “R30” command to send the screen content of the current window. TAs can use the stolen screen content to exfiltrate credentials or other sensitive information.
Figure 11 – C&C request sending screen content
Video Streaming Using WebRTC
Greenbean has incorporated a video streaming capability through the utilization of WebRTC, an open-source project facilitating real-time communication in web browsers and mobile applications. Using this video streaming feature, malware can keep an eye on a victim’s action and also can collect sensitive information.
Our observations reveal that the malware performs WebRTC-related tasks in response to commands received from servers labeled as “C31,” “C32,” “C33,” and “C34.” Each of these server commands corresponds to a specific action related to WebRTC. The following is a description of each action:
| Actions | Description |
| stop_camera | Destroys webRTC object and stops streaming. |
| stop_sharing | Destroys webRTC object and stops streaming. |
| start_camera | Switches the camera and starts video streaming; it uses a different URL to stream data. |
| start_sharing | Start sharing streams using webRTC (Possible screen streaming), which uses a different URL for streaming content. |
The following code illustrates the actions described above related to live streaming using WebRTC.
Figure 12 – Code used for executing actions related to webRTC streaming
As depicted in Figure 11, the malware employs two URLs for WebRTC streaming:
- webrtc://18[.]166.288.126/merchant001/(device_id) – This URL is utilized by the malware to transmit streams when triggered by the “start_sharing” action.
- webrtc://18[.]166.288.126/merchant001/(device_id)_camera – The URL ending with “_camera” is employed by the malware in response to the “start_camera” action.
Upon analyzing both actions, we observed that Greenbean Trojan utilizes the same WebRTC method responsible for video streaming. However, it was challenging to precisely distinguish between these two actions. Despite this, the malware effectively implemented the live streaming feature, as evidenced by entries in the test SRS panel related to both actions, as shown in the figure below.
Figure 13 – Live streaming entries present on the SRS panel
Collects Data from the Infected Device
Apart from above mentioned features, Greenbean executes below functions:
- Collects Contact list and SMS list
- Steals clipboard content
- Capture screenshots
- Steals files
- Collects device information
- Collects network information
- Steals installed application list
- Collects photos
Conclusion
The analysis of the Greenbean malware reveals a sophisticated and multifaceted threat, primarily targeting payment, cryptocurrency, and banking applications. Its ability to exploit permissions, establish covert communication channels, and execute a range of commands poses a significant risk to the privacy and security of infected devices.
The integration of WebRTC for video streaming adds a new dimension to the malware’s capabilities, allowing attackers to monitor victims in real time. The extensive list of commands, including the extraction of sensitive information, SMS collection, and live streaming, underscores the malicious intent behind this threat.
Certain commands within this version of the malware have been left unimplemented, creating a possibility that a new variant might emerge with additional targets and features. Although the current instances of identified samples in the wild are relatively limited, the malware’s capabilities suggest the potential for an increase in the campaign’s prevalence in the days to come.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Only install software from official app stores such as the Play Store or the iOS App Store.
- Using a reputed antivirus and internet security software package is recommended on connected devices, including PCs, laptops, and mobile.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Be careful while opening links received via SMS or emails sent to your mobile device.
- Google Play Protect should always be enabled on Android devices.
- Be wary of any permissions that you give an application.
- Keep devices, operating systems, and applications up to date.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Procedure |
| Initial Access (TA0027) | Phishing (T1660) | Malware distribution via phishing site |
| Persistence (TA0028) |
Event Triggered Execution: Broadcast Receivers (T1624.001) | The malware registered broadcast receivers to trigger malicious actions. |
| Defense Evasion (TA0030) | Input Injection (T1516) | Malware can mimic user interaction, perform clicks and various gestures, and input data |
| Discovery (TA0032) | System Information Discovery (T1426) |
Collects device information such as device ID, model, and manufacturer |
| Discovery (TA0032) | Software Discovery (T1418) |
Collects installed application details |
| Collection (TA0035) | Clipboard Data (T1414) | Malware collects clipboard content |
| Collection (TA0035) | Input Capture: Keylogging (T1417.001) | Uses key logging feature to steal credentials |
| Collection (TA0035) | Data from Local System (T1533) |
Collect files from storage |
| Collection (TA0035) | Protected User Data: SMS Messages (T1636.004) |
Steals SMSs from the infected device |
| Collection (TA0035) | Protected User Data: Contact List (T1636.003) | Collects contact list from infected device |
| Collection (TA0035) | Screen Capture (T1513) | Malware captures screenshots |
| Collection (TA0035) | Video Capture (T1512) | Malware has a video-streaming feature |
| Exfiltration (TA0036) | Exfiltration Over C2 Channel (T1646) | Sending exfiltrated data over C&C server |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| c6f966b7ba6cc5d98ca7a771ea87baa3393e559c54b00e527a1e7df2f3a6ed58 3861237f6c60c563cc82388bf34bb56d5f691872 574e8c1327646f82d1e5663035e15391 |
SHA256 SHA1 MD5 |
Malicious APK file hash |
| hxxp://18[.]166.228.126:19001 | URL | C&C server |
| hxxp://antlercrypto[.]com/ | URL | Phishing site |
| hxxps://delown[.s3.ap-east-1.amazonaws.com/AntlerWealth.apk | URL | Malware download URL |
| d221a8d19d112f34a097b4bdc825a1963f8180fa8b57855a232e9a15dc4f7153 5f92661116641f9fb210910c3f09fcf72eef90fe bf22b7f3a2136314b330f66b82c46123 |
SHA256 SHA1 MD5 |
Malicious APK file hash |
| 81255caecb159b0d39a2eda0421bae39394d5107e0bbd585dade9f9b0579967a 3f3e66485a4f02559f100e50002c654c68cb80b0 b7d817e3f2e08877b0073df189fd2b42 |
SHA256 SHA1 MD5 |
Malicious APK file hash |
| hxxps://hkccg[.s3.ap-southeast-1.amazonaws.com/app-relea.apk | URL | Malware download URL |
| 284845253395fc53a7a0af142535682515f579fe4dd28ebca453ab82490159c1 4dae0cb4fe371a2132e4550fb99aeaa0cbf0255a 469b57ccab35a15cbdcdc68c0e0b1502 |
SHA256 SHA1 MD5 |
Malicious APK file hash |
