- Jan 24, 2011
- 9,378
An Android banking malware campaign has hit nearly 100 banks in the United States, Germany, France, Australia, Turkey, Poland and Austria.
According to Fortinet, the bad actors are targeting customers of large banks, looking to steal login credentials from 94 different mobile banking apps. Due to its ability to intercept SMS communications, the malware is also able to bypass SMS-based two-factor authentication.
After the malware is installed it can not only send and intercept SMS messages, but it can perform a factory reset to wipe the phone (with the potential for huge data loss for the user). It also lures the user to submit credit card info by popping up a request for banking details any time an app is launched on the device. The malware is able to verify if the card number submitted by the user is valid, and if it is, the malware pops up a fake “Verified by Visa” or “MasterCard SecureCode” view.
The malware also uses a screen overlay with a fake login window to lure users to submit their login credentials for banking apps, and then sends them to its C&C server. It contains modules to target the credentials for popular social media apps as well, including Facebook, Facebook Messenger, Whatsapp, Skype, Twitter, Viber, Instagram and Snapchat.
“This malware implements multiple malicious functionalities into a single app and takes full advantage of a successful infection,” Fortinet researchers said, in a blog. “The attacker can control the list of legitimate apps to be targeted via C&C commands.”
As far as the infection chain, the malware masquerades as a Flash Player app to trick users into downloading it. When the user clicks the Flash Player icon and launches it, the action grants device administrator rights to the app through a fake Google Play service. Once enabled, this self-defense mechanism prevents the malware from being uninstalled from the device.
The app displays a screen overlay on top of any other apps, rendering them useless. The user has an option to cancel or activate, but if the user clicks the cancel button, the view is closed, and then just restarts—forcing the user to click “activate” to get rid of it. This grants the malware full device administrator rights. The Flash Player icon is then hidden from the launcher, but the malware remains active in the background.
Read more: Android Info-stealing Baddie Targets Almost 100 Banks
According to Fortinet, the bad actors are targeting customers of large banks, looking to steal login credentials from 94 different mobile banking apps. Due to its ability to intercept SMS communications, the malware is also able to bypass SMS-based two-factor authentication.
After the malware is installed it can not only send and intercept SMS messages, but it can perform a factory reset to wipe the phone (with the potential for huge data loss for the user). It also lures the user to submit credit card info by popping up a request for banking details any time an app is launched on the device. The malware is able to verify if the card number submitted by the user is valid, and if it is, the malware pops up a fake “Verified by Visa” or “MasterCard SecureCode” view.
The malware also uses a screen overlay with a fake login window to lure users to submit their login credentials for banking apps, and then sends them to its C&C server. It contains modules to target the credentials for popular social media apps as well, including Facebook, Facebook Messenger, Whatsapp, Skype, Twitter, Viber, Instagram and Snapchat.
“This malware implements multiple malicious functionalities into a single app and takes full advantage of a successful infection,” Fortinet researchers said, in a blog. “The attacker can control the list of legitimate apps to be targeted via C&C commands.”
As far as the infection chain, the malware masquerades as a Flash Player app to trick users into downloading it. When the user clicks the Flash Player icon and launches it, the action grants device administrator rights to the app through a fake Google Play service. Once enabled, this self-defense mechanism prevents the malware from being uninstalled from the device.
The app displays a screen overlay on top of any other apps, rendering them useless. The user has an option to cancel or activate, but if the user clicks the cancel button, the view is closed, and then just restarts—forcing the user to click “activate” to get rid of it. This grants the malware full device administrator rights. The Flash Player icon is then hidden from the launcher, but the malware remains active in the background.
Read more: Android Info-stealing Baddie Targets Almost 100 Banks
