We analyze the Sberbank online application for Android. method: Sberbank Online program in a patched version

Sberbank really made the right choice with the choice of the developers of its mobile client. However, either the programmers got too carried away, or Sberbank’s requirements were so perverted, but the once good application also one day became a victim of the endless increase in functionality. And this led to the fact that I had to remove the Sberbank online application from most of my devices, and on the remaining ones I had to use special techniques to reduce its harmful impact on the system to a minimum.

What is the problem with the Sberbank online application?

First problem mobile Sberbank- this is its size. The APK file with the application weighs no less than 41 MB. For comparison: the Smash Hit game with excellent 3D graphics weighs 80 MB, the Geometry Dash game with a bunch of levels and music tracks weighs 48 MB, and Google Chrome weighs the same 41 MB. Note that in this case we are comparing complex, complex software with a client application whose sole task is to receive data from the server and send it back in response to user actions.

OK, I agree that with current amounts of internal memory and Internet speeds, the size of the application does not really matter, but its weight also affects the amount of RAM consumed by the application. On different devices with different amounts of RAM and different Low Memory Killer settings, the size of the application in RAM can vary from 40 to 80 MB. Again, for comparison: one of the most RAM-hungry Google Chrome applications with one open tab consumes ~90 MB. And the saddest thing is that, unlike Chrome, which will be forced out of memory some time after closing, Sberbank will remain in it as a service for the entire time the smartphone is running. If you kill it, it will restart; if you reboot your smartphone, it will start at boot; if you use a task killer, you will get ping-pong called “Goodbye Battery”: the task killer kills the service, the system starts it, and so on endlessly.

In twelve hours, Sberbank woke up the smartphone 27 times. If the power saving mode in Android 6.0 had not interfered with it, it would have done this even more often

Well, okay, it hangs and hangs, maybe this is some kind of optimization for speeding up
launch or something else, on modern smartphones with three gigs of memory, 80 MB is nonsense. But no, the service doesn’t just hang in the memory, it regularly wakes up the smartphone to update information about the device’s location and perform some other business. Once again: the application that you use once a week to put money on your phone or check your balance constantly hangs in the background and regularly wakes up your smartphone! If you think this is strange, then read on and you will find out what truly “weird” is.

“THE BANK CARE ABOUT YOUR FINANCIAL SECURITY”

This is exactly the response I received from @sberbank on Twitter when I showed them the screenshot below. What it is? This is a message from the Kaspersky antivirus built into Sberbank. Yes, dear reader, Sberbank not only hangs in the background and constantly wakes up your smartphone, it also wakes up every time you install a new application, and it also has a specific checking routine. You are sitting, reading a book, and suddenly Sberbank wakes up and starts scanning the system. I think there is no need to explain how this affects the battery.

The most paradoxical feature of Sberbank is that, while blaming other applications for the ability to send SMS (as in the above screenshot), Sberbank itself can not only send them, but also read and even change them. It can also read contacts, take pictures, control Bluetooth, make calls, change smartphone settings, Wi-Fi settings, find out location, kill background processes, read and change browser history, change APN settings, monitor running applications, track installation and removal of applications, read and write call logs.

This is only part of the powers that the Sberbank online application requests

Not bad, isn't it? Not every Trojan has such an impressive list of powers. And don’t say that the antivirus needs all this - it’s hard for me to think of why it might need the ability to make calls, make calls, manage Wi-Fi, or read call logs. I don’t mention contact lists; Sberbank uses access to them to make fast transfers money. You don’t mind your contact book being merged into Sberbank, do you?

WHAT TO DO?

Sberbank is not the only application that has fallen victim to the desire to cram everything possible into the application. There are a huge number of them on the market, and the methods of “fighting” them are almost always the same. The first thing you need to do is revoke the app's permissions. If you have Android 6.0, then you can do this by opening “Sberbank Application Settings” and disabling everything except “Memory” in the “Permissions” menu. The next time you launch the application, you will be asked for permissions again, and they must be denied.

If you don’t have Android 6.0, but have CyanogenMod, the same can be done in the “Settings - Privacy - Protected Mode - Sberbank” menu (however, in this case the application may crash). If there is neither Android 6.0 nor CyanogenMod, but there is Greenify. We install the application, agree to grant it root rights, press the + button in the toolbar and see a list of applications that wake up the smartphone. Surely Sberbank will be somewhere at the beginning. Tap on it and press the round button at the bottom of the screen. Now the application will freeze immediately after the screen turns off and will no longer start on its own.

INSTEAD OF CONCLUSIONS

In fact, I, of course, understand where such functionality came from in the Sberbank client. Whatever one may say, it’s easier to build an antivirus into an application than to deal with thousands of users who have had their money stolen. And many users love hyperfunctional applications that can make coffee. The same ES File Explorer is very popular, despite its fantastic overload with all sorts of functions. But as an argument in the heated debate “applications vs bots”, I increasingly hear the words: “Bots are simple, fast and do not require installation, but modern applications are cumbersome and drain the battery.” That's all, good luck.

May 16, 2016, Moscow – Sberbank released the Sberbank Online mobile application with new feature translation requests. Now you can quickly organize a collection of money to buy a gift for a friend or organize an event. All recipients will receive notifications and see the request in a special section of the mobile application. Using push notifications, the requester will be able to track the transfers and will know when the full amount has been collected.

“The Sberbank Online service has already become the standard for non-cash transfers in Russia due to its simplicity and ubiquity. Our users often transfer money for gifts, raise funds for joint endeavors or in support of someone else. In the Sberbank Online mobile application, we have created a service that will make this even more convenient,” says Timur Smirnov, head of the digital products development department of the Bank XXI department of Sberbank.

The function is available to all users mobile applications Sberbank Online for iOS, Android and Windows Phone and will be further improved based on customer feedback.

The new applications for iOS and Android have also improved the personal finance management service. Now it is enough to change the category of the transaction once, so that in the future transactions in a specific store or restaurant will automatically fall into the desired section.

PJSC Sberbank – the largest bank in Russia and one of the leading global financial institutions. Sberbank accounts for about a third of the total Russian assets banking sector. Sberbank is a key lender for national economy and occupies the largest share in the deposit market. The founder and main shareholder of Sberbank PJSC is central bank Russian Federation, owning 50% authorized capital plus one voting share. The other 50% of the Bank's shares are owned by Russian and international investors. More than 135 million people use Sberbank services individuals and more than 1 million enterprises in 22 countries. The bank has the most extensive branch network in Russia: about 17 thousand branches and internal structural divisions. Foreign network The bank consists of subsidiary banks, branches and representative offices in the UK, USA, CIS, Central and Eastern Europe, Turkey and other countries.

Owners of Android devices easily mastered the service Sberbank Online and appreciated its convenience. But some users unexpectedly encountered a very specific problem: the program refused to perform operations on those devices where superuser rights were obtained, considering rooted Android smartphones more vulnerable than regular devices. The saddest thing is that even after completely removing Root rights, users cannot normalize the operation of the service - access is still limited. A message appears on the screen: “Attention! Root access has been detected on this device. Sberbank cannot guarantee the security and correct operation of the application on rooted devices. By continuing to work, you assume the risks." Someone might take a risk, but the program is inexorable, Access closed.

We sent a request to technical support and received official answer Sberbank representative: Official response from a Sberbank representative: “Unfortunately, some Android phones have firmware with “root access.” Working with such firmware significantly increases the likelihood of fraud through viruses. The antivirus that is included in Sberbank Online, like any other application installed on Android with root firmware, does not have full control over the smartphone. That is why we limit operations for Android phones with such firmware - we are faced with a system limitation that does not allow the antivirus to correctly search for and remove viruses. However, we leave for our users who are faced with this feature the opportunity to use Sberbank Online on Android smartphones - a reliable solution is available for them that guarantees the safety of funds, leaving the opportunity to pay for services and external transfers only using templates created in the Sberbank Online version for computers."

Method 1: Use the Sberbank Patch for LuckyPatcher

Program LuckyPatcher Suitable for most applications and services. It scans the smartphone for installed software, sorting it into two groups according to the possibility and impossibility of a patch. In the first group, programs for which the patch will be especially useful are placed at the top of the list. If a patch is successfully applied to such a program, it will be identified as fully registered and will not arouse suspicion from the defense, including the Sberbank Online antivirus.
1. Download Lucky Patcher and install it;

Method 2: SberbankUnRoot patch for Xposed Framework

1. Download the framework, open XposedInstaller and click Install/Update to install the program. The application will ask for superuser rights - agree and reboot the device.

After this, problems with the Sberbank Online client should not arise.

Method 3: Sberbank Online program in a patched version.

The easiest way is to install in advance patched version Sberbank Online client. All difficult work made for you (and for us) by a talented user. He also shared a link to the .apk file of the patched version of the program, which is so necessary for owners of rooted devices. Many thanks to him!
We just install and easily use the service.

Method 4: Removing remnants of Root rights

Method 5: Disabling AlarmReceiver using My Android Tools