Malware that targets Android phones has been on a steady rise for the last couple of years, and much of it has come in the form of compromised apps or outright malicious apps disguised as games or utilities. But now researchers have come across a new Android threat that is designed specifically to steal users’ online banking credentials and create persistent, silent access to the compromised handset.
The newly discovered piece of malware comes in the form of an application that, when executed, will present the user with a dialog box that appears to be an app that will generate a software token for an online banking session. The generator app is customized for several different European banks and uses the actual logos and colors associated with each bank. The malware then grabs a bunch of different pieces of information from the compromised phone and sends them off to a remote server.
“To get the fake token, the user must enter the first factor of authentication (used to obtain initial access to the banking account). If this action is not performed, the application shows an error. When the user clicks “Generar” (Generate), the malware shows the fake token (which is in fact a random number) and sends the password to a specific cell phone number along with the device identifiers (IMEI and IMSI). The same information is also sent to one of the control servers along with further data such as the phone number of the device,” Carlos Castillo of McAfee wrote in an analysis of the threat.
The original file that contains the malware also includes a list of the control servers that the malware can connect to, as well as a mobile number that the data from the compromised phone can be sent to via SMS. The malware also creates a service that listens for commands from the control server. The commands can include installing a new list of control servers or requesting that the malware gather and send all of the contacts from the compromised phone.
Much of the malware that plagues desktop PCs these days is designed to perform some kind of financial fraud, phishing or other theft. Researchers have said that they expected this to creep into the mobile platforms as well, but the evolution has been somewhat stunted so far. That may now be changing.
“Android malware that targets financial entities is in constant evolution: From man-in-the-middle attacks we now see more sophisticated, remote-controlled banking Trojans that can get more than one factor of authentication and update itself to, for example, modify a phishing attack to get other required credentials–such as the name or the ID number of the user–to perform electronic fraud. Due to the increasing popularity of Android and mobile-banking applications, we expect that more threats like this will appear,” Castillo wrote.