Using the stolen credentials, thieves can then log in to the victim’s account remotely and transfer money out. They can also use the malware to send them all of the SMS text messages received by the infected device, and remove them.
“This allows SMS-based two-factor authentication of fraudulent transactions to be bypassed, without raising the suspicions of the device’s owner,” says Lukáš Štefanko, ESET Malware Researcher specializing in Android malware.
The Trojan spreads by imitating a Flash Player application. After being downloaded and installed, the app requests device administrator rights, to protect itself from being easily uninstalled. After that, the malware checks if any target banking applications are installed on the device. If it finds any it loads fake login screens for each banking app from its command and control server. When the victim launches a banking app, a fake login screen then appears over the top of the legitimate app, leaving the screen locked until the victim submits their banking credentials.
The campaign uncovered by ESET researchers targets major banks in Australia, New Zealand and Turkey. However, “The attack has been massive and it can be easily re-focused to any another set of target banks,” warns Štefanko. In fact, the 20 financial institutions currently targeted by the app include the largest retail banks in each of the three countries.
The malware is also said to be subject to ongoing development. While its first versions were simple, and their malicious purpose easily identifiable, the most up-to-date versions feature better obfuscation and encryption.
More information on the malware and how to remove it can be found on the ESET WeLiveSecurity blog.