The Android virus called “Revive” pretends to be a 2FA app for the BBVA bank

The Android virus called "Revive" pretends to be a 2FA app for the BBVA bank

Tech Highlights:

  • Microsoft will fix Windows RRAS, VPN issues for all users in July. Researchers at Cleafy discovered Revive and named it after a function of the same name used by the malware to restart itself if terminated. According to Cleafy’s analysts, the new malware targets prospective victims via phishing attacks, convincing them to download an application that is supposedly a 2FA tool required for upgraded bank account safety. This phishing attack claims the 2FA functionality embedded into the actual bank app no longer meets the security level requirements, so users need to install this additional tool to upgrade their banking security.

  • The 2FA application necessary to access BBVA bank accounts in Spain is impersonated by a new Android banking malware called Revive. Instead of aiming to infect customers of various financial institutions, the new banking trojan has a more targeted strategy that targets the BBVA bank. Even though Revive is still in the early stages of development, it is already able to perform sophisticated tasks like intercept two-factor authentication (2FA) codes and one-time passwords.

The app is hosted on a dedicated website that sports a professional appearance and even has a video tutorial to guide victims through the process of downloading and installing it. Upon installation, Revive requests permission to use the Accessibility Service, which basically gives it complete control of the screen and the ability to perform screen taps and navigation actions. When the user launches the app for the first time, they are requested to grant it access to SMS and phone calls, which might appear normal for a 2FA utility.

Likely, the narrow targeting, short-term campaigns, and localized operations don’t give security vendors many opportunities to record these threats and set identification parameters so they can fly under the radar for longer.

After that, Revive continues running in the background as a simple keylogger, recording everything the user types on the device and sending it periodically to the C2. Doing so will send the credentials to the threat actors’ C2, and then a generic homepage with links to the real website of the targeted bank is loaded. After that, Revive continues running in the background as a simple keylogger, recording everything that the user types on the device and sending it periodically to the C2. Based on Cleafy’s code analysis of the new malware, it appears that its authors were inspired by Teradroid, Android spyware that has its code publicly available on GitHub.

We will be happy to hear your thoughts

      Leave a reply

      Tech Reviews, News and Guides
      Logo