- Apr 5, 2014
- 6,008
Android users are being warned about a new form of malware that can steal passwords, credit card and banking details and intercept text messages.
The malware, dubbed Android.BankBot.211.origin was discovered by security firm Dr Web and is spread by disguising itself as well known apps such as Adobe Flash Player.
Once it has infected a device it hijacks Android’s Accessibility Service to add itself to the device’s administrator list.
From there it can extract text message, open links and steal call info and contact lists.
But that’s not all.
The malware also displays fake login screens to a number of major banks and credit card providers.
The user, who has no idea, then freely enters their card or account details into the fake screen, which hands over important info like the CVC security number to the hackers who are responsible for the malware.
Researchers from Dr Web said the malware was first infecting Android devices in Turkey but has since spread to users in dozens of counties.
Dr Web published photos of the fake login screens the BankBot can display on Android devices.
One photo even displayed a screen that included the Google Play branding making it even more convincing.
Image: DrWeb
Dr Web said the BankBot is made more dangerous due to the fact that it is very difficult to remove from infected devices.
When a user tries to delete the infected app, the BankBot removes the app’s icon from the phone, tricking the user into thinking it has been deleted. However, the BankBot is still working away in the background.
Explaining how BankBot works, Dr Web said in a blog post: “The Trojan also collects information about all launched applications and user’s actions performed within them.
“For example, it tracks available text fields, such as menu elements, and logs key strokes and other components of the user interface.
“Moreover, Android.BankBot.211.origin is capable of stealing login credentials and other authentication information input by users in any programs on any websites during authorization.
“To steal passwords, the Trojan takes a screenshot of every key stroke; as a result, it obtains the required sequence of characters before they are hidden.
“After that, the information input into the displayed fields and all the saved screenshots are sent to the command and control server.”
This isn’t the first time BankBot has been used to target Android users.
In April, security experts discovered that more than 400 apps in the Google Play store had been infected with BankBot, which Google promptly removed.
This most recent strain of BankBot has not yet been found in the Google Play Store, so an easy way for users to stay clear of the malware is to avoid downloading apps from third party or unofficial app stores.
The malware, dubbed Android.BankBot.211.origin was discovered by security firm Dr Web and is spread by disguising itself as well known apps such as Adobe Flash Player.
Once it has infected a device it hijacks Android’s Accessibility Service to add itself to the device’s administrator list.
From there it can extract text message, open links and steal call info and contact lists.
But that’s not all.
The malware also displays fake login screens to a number of major banks and credit card providers.
The user, who has no idea, then freely enters their card or account details into the fake screen, which hands over important info like the CVC security number to the hackers who are responsible for the malware.
Researchers from Dr Web said the malware was first infecting Android devices in Turkey but has since spread to users in dozens of counties.
Dr Web published photos of the fake login screens the BankBot can display on Android devices.
One photo even displayed a screen that included the Google Play branding making it even more convincing.
Image: DrWeb
Dr Web said the BankBot is made more dangerous due to the fact that it is very difficult to remove from infected devices.
When a user tries to delete the infected app, the BankBot removes the app’s icon from the phone, tricking the user into thinking it has been deleted. However, the BankBot is still working away in the background.
Explaining how BankBot works, Dr Web said in a blog post: “The Trojan also collects information about all launched applications and user’s actions performed within them.
“For example, it tracks available text fields, such as menu elements, and logs key strokes and other components of the user interface.
“Moreover, Android.BankBot.211.origin is capable of stealing login credentials and other authentication information input by users in any programs on any websites during authorization.
“To steal passwords, the Trojan takes a screenshot of every key stroke; as a result, it obtains the required sequence of characters before they are hidden.
“After that, the information input into the displayed fields and all the saved screenshots are sent to the command and control server.”
This isn’t the first time BankBot has been used to target Android users.
In April, security experts discovered that more than 400 apps in the Google Play store had been infected with BankBot, which Google promptly removed.
This most recent strain of BankBot has not yet been found in the Google Play Store, so an easy way for users to stay clear of the malware is to avoid downloading apps from third party or unofficial app stores.