click on the top "avlteam" to subscribe! Introduction Antian AVL mobile security team (hereinafter referred to as AVL team) is a security enterprise under Antian that focuses on mobile security and mobile threat confrontation. From 2010 to now, we have experienced a complete era of mobile security development and threat confrontation, and also experienced a continuous technology confrontation game in this process. Fortunately, in this process, we have taken on the strong gene and foundation of anti malicious code of Antan in PC, and made continuous efforts with the support of headquarters. At present, we have become one of the mobile security teams with top basic capabilities in the world, as well as the largest mobile anti-virus engine technology and service provider in the world. The continuous underground industry attacks and threats against mobile finance and mobile payment system disclosed in this report are the aggregate intelligence formed through the continuous follow-up and analysis of AVL team for nearly three years from May 2013 to now. As early as may 2013, we began to pay attention to this kind of attack form which is very simple and crude in technology. At the same time, we have also seen how this form of attack and threat has continued since 2013, gradually improving all links of the underground industry chain, spawning different division of labor and underground trading links, and finally developed into a chain mode with tens of thousands of illegal employees, clear cooperation, and mature underground industrialization. Thank you for the preparation of this material from January 2016, and the support from universities, security industry and financial industry peers in the material organization process. Thank you, Mr. Yang Min, Fudan University and his safety team for participating in the preparation, assisting in some technical and analytical materials, and providing revision suggestions for the overall expression of materials. Thank the information technology management department of the Bank of communications, the Information Technology Department of China Merchants Bank and the Information Technology Department of Shanghai Pudong Development Bank for their suggestions on the release of the initial version of this material, and discuss effective security governance measures with us. Background description and early disclosure of information in the context of rapid development of mobile Internet, since 2012, mobile payment has basically completed the process from user habit cultivation to full penetration. At present, a large number of financial and payment transactions have gradually become the main needs and key business scenarios of users on the mobile terminal side. We enjoy convenient banking business through mobile banking, but also spawned a large number of related mobile payment transactions and links. In order to ensure the security of users in the process of mobile payment, mobile banks have taken a lot of security measures. In the process of payment, identity authentication and two factor authentication mainly based on mobile phone dynamic password are carried out to prevent the leakage of payment related information in the process of mobile payment through secure communication. From the development of online payment to the dual factor authentication based on SMS dynamic password relying on the user's mobile phone, the security threat to the user's online financial assets has been transferred from the PC platform to the mobile platform. Since 2010, AVL team has done some important security research and has made some simple combing. The zbot family and spitmo family, which began to appear in 2011, are the first malicious code families to move from PC attack scenarios to mobile attack scenarios. ● zbot malicious code, hijack the bank dynamic password SMS received by the user, and steal it to the remote server ● spitmo, disguised as a token program, and steal the bank's authentication SMS to the remote server. At the end of 2012, the SmsZombie family began to be active in the country. Its main attack targets were the bank class and payment text messages received by users, such as "bank", "Alipay" and "verification code". In the subsequent variant, the attack on more than 10 domestic banks was launched. It would monitor the bank application and launch a well disguised bank application in the background. Login interface to induce users to enter account and password information. In the early 2013 and early 2013, with the prevalence of Taobao and Alipay, there were attacks against Taobao and Alipay accounts, which disguised as Taobao or disguised as an application login interface to steal user's account information, such as the Faketaobao family. In the middle of 2013, Google SSMS family began to be active. It took Korean banks as the main target of attack, and adopted a relatively new attack mode, that is, inducing users to uninstall normal banking applications, so as to replace them with counterfeit malicious banking applications. At the end of 2013, a kind of threat to steal the privacy data of the user's mobile phone began to rise, mainly stealing the content of the user's SMS, the user's mobile phone address book, as well as geographic location information, telephone recording, etc. Its core functions are basically SMS interception or privacy interception and disclosure, and SMS interception is its very symbolic malicious behavior, so most nicknames are "SMS interception Trojan" threats, among which the representative family is the emial family (in the early stage, this keyword appears in the related core code of the malicious code family and C2 server, whether the attacker intentionally or unintentionally , all of which are close to email, so they are named emial family). There are hundreds of different malicious code varieties under the family, and dozens of malicious code families with similar threats. We will not list them here. Since 2014, the AVL team has continuously exposed the related attack threats. Through continuous tracking and analysis, we found that since 2013, after one year, the attack around SMS intercepting horse began to generate a relatively complete underground industry chain, and gradually "attracted" more people to join, so as to grow. list of threat analysis reports on attack banks (2014-2016) released by AVL team: in 2015, foreign security companies began to disclose a large number of attack cases against European and American banks, such as slembunk and GM BOT, marcher and so on, the main attack mode is to monitor the bank application, pop up the phishing login interface, steal the bank account information, and steal the SMS content received by users, which is the same as what happened in China in 2013 and early 2014. Attackers have penetrated into all aspects through the attack modes accumulated and constructed for many years. For attackers, the vast number of potential victims and victims controlled by intercepted horses have not only been constructed into a mobile botnet that can be controlled by attackers, but also become the natural cash machine of attackers, just like a private bank owned by attackers Therefore, we use the code name darkmobilebank to name the whole black production and threat. Osint collation and aggregation analysis we collated the osint (region: China) that has been threatening mobile banking and financial payment transactions since 2013, and sorted it out by time (up to April 10, 2016), and calibrated the relevant osint. A total of 41 domestic osints were disclosed, including 1 in 2012, 7 in 2013, 13 in 2014, 12 in 2015 and 8 in 2016. We classify according to the key content disclosed in the report (excluding the part shared by Antan): threat overview and threat attack chain in order to better present the complete elements and information of overall threat attack behavior, AVL According to the links of the attack chain, team analysts organize and present each link of the attack. By identifying the important elements and information of different attack links, they can quickly describe the important links and ways of the whole attack. Note: kill chain, which is suitable for apt and cyber scenarios, is the most famous description method of attack chain at present. Due to the different threat scenarios, we have made some simplification and improvement in mobile threat scenarios. The most critical attack scenario is that the attacker uses remote control to continuously violate the victim, steal privacy and make profits, so it is combined into C2 obj stage. List of main tactics and techniques in each stage and link of attack chain: 1 reconnaissance attackers usually need to make preparations before launching attacks. Including preparation of various materials, joining related communication groups to get the latest experience and share information, etc. As the attacker group disclosed in this report has formed a very mature division of labor system and internal transaction system, new attackers will usually join the Internet first to seek positive exchanges to obtain relevant experience. In some cases, there will be a "master" role to help new attackers familiarize themselves with the attack process. At the same time, with the continuous development and maturity of the attacker as a whole, the attacker's attack effectiveness on different regions, different banks or payment transaction systems has formed a very rich "accumulated experience" for different groups. 2 attack weaponization attackers will elaborate Trojan programs and phishing websites, and register a large number of domain names, email addresses and mobile phone numbers for use in attacks. In this link, there are also a lot of internal transactions and various reselling links (because the mechanism of malicious code itself is relatively simple, at the same time, at present, malicious code is highly fluid and standardized, which also leads to a sharp increase in the traceability difficulty based on malicious code itself). ● among the three major operators, attackers prefer to disguise themselves as mobile operators, 68% of which are disguised as 10086 numbers. ● among the bank users, the attackers prefer the users of China Merchants Bank and China Construction Bank. Nearly 60% of the phishing websites are disguised as the official websites of China Merchants Bank and China Construction Bank. 3 delivery attackers mainly use pseudo base stations to send fraudulent phishing messages or fraudulent messages with malicious code links by pretending to be numbers such as 10086955553. The contents of the messages contain URLs similar to official websites or short URL links to trick users to click and jump to the phishing websites disguised. 4 attack the attacker will disguise as a normal application name or icon to induce the user to install Trojan horse programs to the mobile phone. According to the statistics of the malicious code of "SMS intercepting Trojan horse" infected by the victim users in threats incidents: ● 70% of the threat attacks are disguised as the names of photo albums, materials, photos and party photo albums sent by mobile contacts and friends ● 15% of the threat attacks are disguised as the names from three major operators, such as China mobile terminal and palm business hall ● In the mobile threat scenario, we find that there are a large number of C2 control behaviors and further violations to the victim's target, which are highly aggregated. Generally, the continuous violations are frequently combined with C2 control behaviors 。 So we have integrated the attack of this link. In the attack of SMS intercepting Trojan horse in this paper, it usually has the comprehensive "multi-channel" control ability based on SMS (controlled by remote mobile phone number), mailbox return, network control and return. At the same time, the infringement on the victim is usually accompanied by a higher real-time remote control behavior (for example, real-time forwarding of the dynamic verification code of online transactions). ● some Trojans will receive SMS instructions or