- Jan 24, 2011
- 9,378
Over 20 botnets detected targeting Russian users
Dr.Web detected a new mobile banking trojan targeting Android users, one that uses carefully placed fake payment forms to trick users into giving away sensitive financial details.
Security researchers detected the trojan (Android.ZBot) for the first time in February, and until now, it seems to have stayed active only in Russia, having infected around 52,000 devices, split across 20 different C&C servers.
Dr.Web's staff claim to have gained access to three of these botnets, where they found between 140 and 2,300 compromised devices. Only 15 of the 20 botnets were still active at the time of Dr.Web's disclosure.
Infections occur via a fake Google Play Store app
Infection, as in most cases, occurs when users are careless enough to install Android apps from unofficial third-party app stores. In Android.ZBot's case, the culprit is an app masquerading as the official Google Play Store application.
When this app is installed, it immediately asks for admin permissions. If the user detects the fake and denies it root privileges, the trojan, in a desperate effort, shows a fake payment form on the user's screen, trying to trick them for the last time before being uninstalled. A desperate Hail Mary attempt, but very ineffective.
Read more: Android.ZBot Banking Trojan Steals Card Details via Web Injections
