The security firm Trusteer reports that new Web-based attacks are targeting Android smartphone users in a campaign to circumvent two-factor sign-on features used by many banks to protect account holders.
Writing on the Trusteer blog on Tuesday, CTO Amit Klein of Trusteer said that researchers there have identified new attacks against mobile banking customers that use both the SpyEye and Tatanga banking Trojans. The attacks, which target Android mobile device users, but not those of other platforms, is the latest evidence that cyber criminals are concentrating on Google’s Android platform, which makes up 51% of the mobile smart phone market in the U.S. and between 46% and 61% in the major European markets.
Klein said the new attacks are variations of those that have been circulating in the last year. Windows users are targeted with Web injection attacks against vulnerable desktop Web browsers to trick users into installing a fake banking security application on their phones. The malicious application poses as a banking security application that verifies account holders’ Web based banking logins using SMS messages.
Once installed, the desktop malware asks victims to identify the type of mobile device they use. Victims who use an operating system other than Android are told that no other action is required. Android users, however, are asked to provide their phone number. A link for downloading the malicious application is then sent to the phone.
Trusteer has identified the same application being pushed by both the SpyEye and Tatanga malware, suggesting that the same criminal group is using two different malicious applications to support their scam.
Once installed, the mobile malware captures SMS (short message service) traffic. That includes authorization codes sent by the victim’s bank to their mobile phone. SMS messages are forwarded to the fraudsters, allowing them to initiate fraudulent transactions and transfers, then capture the SMS codes needed to authorize them.
Trusteer said the attacks, which began in June, use malicious Web sites hosted in China and the U.S. Those Web sites are not currently active, Trusteer said.
Android, Google’s open source mobile application, has struggled with the issue of malicious mobile applications since launching. Kaspersky Lab researchers warned of an outbreak of the Zeus Trojan posing as Android malware in June, and of a suspicious application that stole users phonebooks which was circulating on Google’s Play marketplace and Apple’s App Store in July. In February, Google introduced the Bouncer application to help vet applications that were submitted to its mobile marketplace. However, researchers quickly figured out ways to fool Bouncer’s automated code auditing.