- Oct 23, 2012
- 12,527
Zscaler has detected a new Android banking trojan that is currently only active in South Korea, where it infects users posing as a popular antivirus app and then stealing SMS messages and authentication certificates used for banking operations.
Based on technical analysis provided by the Zscaler team, the yet unnamed banking trojan is still under development and seems to be the companion of a desktop banking trojan, but may also be further developed to work on its own.
There are only three main features included in the trojan's code. The first is the ability to talk to its C&C server, from where it receives instructions and where it sends stolen data.
The second is its ability to intercept and steal SMS messages without showing any indicators on the user's screen that a message was received.
This feature is really useful when a banking transaction takes place, and the user receives a confirmation SMS message. If the user doesn't see the SMS, then he or she won't be alerted that a mobile or desktop trojan is ravaging their bank account.
Based on technical analysis provided by the Zscaler team, the yet unnamed banking trojan is still under development and seems to be the companion of a desktop banking trojan, but may also be further developed to work on its own.
There are only three main features included in the trojan's code. The first is the ability to talk to its C&C server, from where it receives instructions and where it sends stolen data.
The second is its ability to intercept and steal SMS messages without showing any indicators on the user's screen that a message was received.
This feature is really useful when a banking transaction takes place, and the user receives a confirmation SMS message. If the user doesn't see the SMS, then he or she won't be alerted that a mobile or desktop trojan is ravaging their bank account.
Trojan can steal digital certificates used in financial operations
The third is the trojan's ability to steal files related to South Korea's NPKI (National Public Key Infrastructure), which app makers and banks use to protect financial transactions. If crooks get their hands on NPKI files, then they could impersonate the victim in financial operations. Fortunately, these certificates can be useful only if the trojan gets ahold of login credentials for the app it stole the certificates from.
As you see, there are a few things that the trojan still needs to collect in order to be more dangerous, but crooks have a habit of churning out new malware versions at quite a rapid pace.
Currently, Zscaler warns that crooks are distributing the trojan disguised as a fake V3 Mobile Plus app, which is an Android antivirus engine developed by a local South Korean company and is very popular in the country.
