A new Android banking trojan that targeted 232 banking apps by hiding behind a fake Flash Player app and obtaining administrative rights to Android devices has been detected by alert researchers.
The Android banking trojan was capable of stealing login credentials by displaying fake login screen over apps, hijacking SMSs, and uploading contact lists and SMSs on a malicious server.
The Android banking trojan, dubbed Android.banker.A2f8a, was first observed and its activities tracked by alert researchers at security firm Quick Heal. The researchers noted that the trojan hid behind a fake Flash Player app on third-party app stores and exploited the popularity of the Flash Player to infect millions of devices.
Once the fake app is downloaded on an Android device, the trojan takes over and repeatedly requests the user to activate administrative rights until it obtains the same. Once administrative rights are obtained, the trojan scans the device for as many as 232 banking and cryptocurrency apps. If it finds any, the trojan sends fake notifications on behalf of such apps and asks the user to login on a fake screen, thereby capturing his/her username and password for banking apps.
‘The malware can intercept all incoming and outgoing SMSs from the infected device. This enables the attackers to bypass SMS-based two-factor authentication on the victim’s bank account (OTP). The malware was also able to send SMSs with a dynamically received text and number from the server’s side,’ they added.
Not only does the Android banking trojan collect all SMSs stored on a device, but also sets a device’s ringer volume to silent to ensure users do not notice new notifications from banks.
‘Mobile malware such as the Android Trojan can mimic legitimate banking apps as well as notifications. When a customer accepts a notification sent by the malware, they will typically be redirected to a fraudulent website and prompted to enter their login details. In so doing, fraudsters exploit a key vulnerability in authentication methods – even multi-factor authentication methods,’ says Tertius Wessels, Product Manager at Entersekt.
‘When a customer has to enter sensitive information such as a PIN or one-time password into the same channel where they had logged in to their online banking platform or initiated a payment, for example, it enables a fraudster listening in on or tracking that channel to capture the sensitive information,’ he adds.
A number of apps run by prominent Indian banks like the State Bank of India, Axis Bank, HDFC Bank, ICICI Bank, IDBI Bank, Union Bank of Commerce, and Bank of Baroda have so far been targeted by the trojan. Aside from Indian banking apps, the trojan has also targeted banks and cryptocurrency exchanges in other countries like Bitfinex, Bitconium, Freewallet, WUBS Prepaid, Alfa-Direct, GarantiBank, QNB Finansinvest, Commerzbank, PayPal, Bank of America, Wells Fargo Bank, NatWest Bank, Halifax and Santander UK.
Other popular apps like Amazon Shopping, 365Scores, PokerStars Live, eBay, Amazon for Tablets, and Western Union US have also been targeted by the said trojan.
The researchers are now asking Android device users not to download any Flash Player apps as the original Adobe Flash Player was discontinued after the Android 4.1 update. At the same time, users are also being asked not to download any app from third-party app stores and to ensure that the ‘downloading apps from other sources’ feature on their devices are always disabled.
Commenting on the presence of various banking trojans, Wessels adds that there must be an encrypted out-of-band channel for communications between banks and consumers so that fraudsters are not able to access authentication requests pushed by banks to their customers’ devices. This will ensure that fraudsters will not be able to perform any transactions by stealing login credentials of users.