On September 24, 2018, the clients of three major Czech banks received a major hit by a mobile malware and have money from their bank accounts stolen. What happened with the QRecorder malware?
 (updated version)

1. What happened with the QRecorder malware?
Czech Banks are Under Attack,
Clients Lose Money.
petr@wultra.com

2. "Today, the mobile malware
threat got very real.

3. What happened?
• Several clients of the Czech banks reported losing money from their
bank accounts.
• In total, "high tens of thousands" of US dollars were lost.
• About 10 000 user might be affected by the malware.
• The users had their Android smartphone infected with mobile
malware, Eset was the first to report it.
• The police are currently investigating the incident.

4. Which banks were affected?
Affected Not Known to be Affected

5. More info about the malware
• QRecorder: A repackaged app for a phone call recording.
• Distributed via Google Play, which is a regular channel.
• Activated via a remote update in the right moment. Internally, the
"Spy.Banker.AIX" malware core was used.
• Tailor-made for specific banks. It was able to bypass the additional
security measures designed by the banks.

7. What was the principle of this attack?
• The attack was in principle a clever "overlay attack."
• The malware was placing an overlay over the regular banking app. It
requested sensitive information from the user, pretending a regular
mobile app is requesting the info.
• After gathering a sufficient amount of the private information, it
intercepted SMS OTP sent via bank and took full control over the
bank account.

8. What can banks do?
• Invest in App Shielding / RASP technologies to protect their mobile
banking apps from overlay attacks and other sophisticated runtime
attacks. Learn more →
• Be ready and respond fast in the case a similar threat emerges
again.
• Educate customers, though it would not help in this case, the
customers did everything right.

9. What can app users do?
• Uninstall the QReader app, in case they have it on their smartphone!
• Install a mobile anti-virus solution. Learn more →
• Be alert to changes of behavior of their mobile banking app.
• Never enter any credentials intended for the Internet banking into
the mobile banking app or any other system than the Internet
banking.

10. Thank you.
petr@wultra.com

11. Resources

12. Media Coverage (CZ)
• https://www.eset.com/cz/o-nas/pro-novinare/tiskove-zpravy/eset-varuje-pred-nebezpecnou-aplikaci-
qrecorder-cili-na-ceske-uzivatele-a-jejich-internetove-bankov/
• https://www.lidovky.cz/byznys/firmy-a-trhy/princip-ktery-vyuziva-skodliva-aplikace-qrecorder-neni-
zadnou-novinkou-rika-miroslav-dvorak-z-esetu.A180925_115417_firmy-trhy_pkk
• http://www.blesk.cz/clanek/digital-mobily/566831/penize-desetitisicu-cechu-ohrozuje-nebezpecny-virus-
na-pozoru-by-meli-byt-uzivatele-androidu.html
• https://mobil.idnes.cz/nahravac-hovoru-qrecorder-muze-byt-zavirovany-fr0-/mob_tech.aspx?
c=A180925_105023_mob_tech_jm
• https://www.chip.cz/novinky/pozor-na-aplikaci-qrecorder/

13. Media Coverage (CZ)
• https://www.zive.cz/clanky/pozor-aplikace-qrecorder-pro-nahravani-hovoru-krade-hesla-k-bankovnictvi/
sc-3-a-195222/default.aspx
• https://www.novinky.cz/internet-a-pc/bezpecnost/484292-desitky-tisic-cechu-ohrozuje-nebezpecny-
virus-napada-internetove-bankovnictvi.html
• https://www.lupa.cz/aktuality/aplikace-qrecorder-z-google-play-je-nakazena-malwarem-cili-na-ceske-
uzivatele/
• https://ct24.ceskatelevize.cz/ekonomika/2604389-na-internetove-bankovnictvi-miri-utok-pres-aplikaci-
qrecorder-ohrozeny-jsou-mobily