Bankbot Trojan returns to Google Play disguised as Jewels Star Classic

Bankbot, the dangerous Android banking Trojan that was discovered earlier this year in Google play, has found its way again, disguised as the popular gaming app Jewels Star Classic.

When users download Jewels Star Classic by the developer GameDevTony, they get a functioning Android game, with banking malware payload lurking inside the game’s resources.

The malicious service is triggered after 20 minutes from the first execution of Jewels Star Classic. The infected device shows an alert prompting the user to enable something named “Google Service”.

After clicking on OK, which is the only way to stop the alert from appearing, the user is taken to the Android Accessibility menu, where services with accessibility functions are managed. Among legitimate ones, a new service named “Google Service” is listed, created by the malware. Clicking on it displays a description taken from Google’s original Terms of Service.

The malware then uses the accessibility permissions to install and launch BankBot, set it as the default SMS messaging app (for capturing two-factor authentication messages) and obtain permission to draw over other apps. From there, BankBot steals the victim’s credit card details.