Cybersecurity researchers have identified a new Android banking Trojan named Maverick. This malware is being distributed in a mass-scale campaign that primarily leverages the WhatsApp messaging platform to infect devices. The Trojan is designed to steal sensitive information, including login credentials for financial and cryptocurrency applications, by exploiting Android’s Accessibility Services.

The name ‘Maverick’ originates from the open-source accessibility framework ‘Mavericks,’ from which the Trojan’s authors borrowed code. The malware itself is based on the Godot game engine and is written in Kotlin. The primary targets of this campaign are users located in the Philippines.

Distribution Method: WhatsApp and Fake Job Lures

The initial infection vector for the Maverick Trojan is a malicious link sent through WhatsApp messages. These messages contain deceptive lures, such as fake job offers, to entice users into clicking the link. The link directs the user to a website from which they can download a malicious APK file. The malware masquerades as a legitimate application, using names like ‘Task Boto’ or ‘Bling Story’ to appear harmless.

Once the user installs and opens the fraudulent app, it immediately requests permission to use Accessibility Services. Granting this permission is the critical step that allows the malware to execute its malicious functions. After receiving the necessary permissions, the Trojan hides its icon from the device’s application launcher to evade detection and removal.

Technical Capabilities and Data Theft

Maverick abuses the granted Accessibility Services permissions to perform its core data-stealing activities. It functions as a keylogger, capturing every keystroke a user makes on their device. The Trojan also has the capability to take screenshots of the user’s screen. This stolen data, which includes keystrokes and visual information, is then sent to a command-and-control (C2) server.

The malware specifically targets a list of financial, cryptocurrency, and messaging applications. It uses overlay attacks, where it displays a fake login page (a phishing page) on top of the legitimate app’s interface. When a user enters their credentials into this fake window, the information is captured and exfiltrated. Targeted applications include BPI, BDO, Metrobank, Coins.ph, GCash, Binance, Trust Wallet, WhatsApp, Facebook Messenger, and Gmail. In addition to credentials, Maverick also steals and sends the user’s contact list, SMS messages, and a list of all installed applications to its C2 server via a WebSocket connection.