On September 24, 2018, the clients of three major Czech banks received a major hit by a mobile malware and have money from their bank accounts stolen. What happened with the QRecorder malware?


1. What happened with the QRecorder malware?
Czech Banks are Under Attack,
Clients Lose Money.
petr@wultra.com

2. "Today, the mobile malware
threat got very real.

3. What happened?
• Several clients of the Czech banks reported losing money
from their bank accounts.
• In total, "high tens of thousands" of US dollars were lost.
• The users had their Android smartphone infected with
mobile malware, Eset was the first to report it.
• The police are currently investigating the incident.

4. Which banks were affected?
Affected Not Known to be Affected

5. More info about the malware
• QRecorder: A repackaged app for phone call recording.
• Distributed via Google Play, which is a regular channel.
• Activated via a remote update in the right moment.
Internally, the "Spy.Banker.AIX" malware core was used.
• Tailor-made for specific banks. It was able to bypass the
additional security measures designed by the banks.

7. What was the principle of this attack?
• The attack was in principle a clever "overlay attack."
• The malware was placing an overlay over the regular
banking app. It requested sensitive information from the
user, pretending a regular mobile app is requesting the info.
• After gathering a sufficient amount of the private
information, it intercepted SMS OTP sent via bank and took
full control over the bank account.

8. What can banks do?
• Invest in App Shielding / RASP technologies to protect their
mobile banking apps from overlay attacks and other
sophisticated runtime attacks. Learn more →
• Be ready and respond fast in the case a similar threat
emerges again.
• Educate customers, though it would not help in this case,
the customers did everything right.

9. What can app users do?
• Install a mobile anti-virus solution. Learn more →
• Be alert to changes of behavior of their mobile banking app.
• Never enter any credentials intended for the Internet
banking into the mobile banking app or any other system
than the Internet banking.

10. Thank you.
petr@wultra.com

11. Resources

12. Media Coverage (CZ)
• https://www.lidovky.cz/byznys/firmy-a-trhy/princip-ktery-vyuziva-skodliva-aplikace-qrecorder-neni-
zadnou-novinkou-rika-miroslav-dvorak-z-esetu.A180925_115417_firmy-trhy_pkk
• https://www.eset.com/cz/o-nas/pro-novinare/tiskove-zpravy/eset-varuje-pred-nebezpecnou-aplikaci-
qrecorder-cili-na-ceske-uzivatele-a-jejich-internetove-bankov/
• http://www.blesk.cz/clanek/digital-mobily/566831/penize-desetitisicu-cechu-ohrozuje-nebezpecny-virus-
na-pozoru-by-meli-byt-uzivatele-androidu.html
• https://mobil.idnes.cz/nahravac-hovoru-qrecorder-muze-byt-zavirovany-fr0-/mob_tech.aspx?
c=A180925_105023_mob_tech_jm
• https://www.lidovky.cz/byznys/firmy-a-trhy/princip-ktery-vyuziva-skodliva-aplikace-qrecorder-neni-
zadnou-novinkou-rika-miroslav-dvorak-z-esetu.A180925_115417_firmy-trhy_pkk

13. Media Coverage (CZ)
• https://www.chip.cz/novinky/pozor-na-aplikaci-qrecorder/
• https://www.zive.cz/clanky/pozor-aplikace-qrecorder-pro-nahravani-hovoru-krade-hesla-k-bankovnictvi/
sc-3-a-195222/default.aspx
• https://www.novinky.cz/internet-a-pc/bezpecnost/484292-desitky-tisic-cechu-ohrozuje-nebezpecny-
virus-napada-internetove-bankovnictvi.html
• https://www.lupa.cz/aktuality/aplikace-qrecorder-z-google-play-je-nakazena-malwarem-cili-na-ceske-
uzivatele/
• https://ct24.ceskatelevize.cz/ekonomika/2604389-na-internetove-bankovnictvi-miri-utok-pres-aplikaci-
qrecorder-ohrozeny-jsou-mobily