A recently uncovered banking trojan aims to steal Android victims’ online banking credentials and take over their bank accounts, using “elaborate” overlay attack capabilities.
The malware, dubbed “Banker.BR” by researchers with IBM X-Force, was spotted in messages targeting users in countries that speak Spanish or Portuguese (including Spain, Portugal, Brazil and other parts of Latin America). Researchers said the malware is under continual development, and they warned of extended overlay capabilities and code enhancements in the coming months.
“According to our analysis, Banker.BR’s code is entirely new and does not rely on previously leaked code or existing mobile malware,” said Ben Wagner and Limor Kessem, IBM X-Force researchers, in a Tuesday analysis. “While our team has seen earlier versions of this trojan, which only featured a basic SMS stealer, [the latest version has a] new, and more elaborate, feature of the overlay malware capability — a tactic common to most Android banking malware.”
The malware is spread via messages that lead users to a malicious domain controlled by the attackers. The domain instructs victims to download the most recent version of a purported “security app” required for mobile banking. If victims click the update button, they unwittingly launch the malware download from a legitimate file-sharing platform.