Around a year and a half ago, Symantec warned about the personal data stealing malware Android.Bankosy. Now the Trojan has been updated so it can steal passwords delivered via voice call-based two-factor authorization systems.
Such 2FA systems are often used by banks to communicate one-time passcodes to people. While these have usually been delivered via SMS, voice call delivery is becoming increasingly common. Malware makers are keen not to miss out on data stealing opportunities, and the Android.Bankosy introduces a call-forwarding feature that sends 2FA calls to a C&C server so the code can be intercepted and exploited.
The malware enables call-forwarding on an infected phone, and is also able to enable silent mode to avoid alerting a victim about incoming calls. A successful attack is dependent on a victim’s basic login credentials having already been stolen, but the malware represents a worrying new development in breaking through banking security.
Once the malware is installed on the victim’s device, it opens a back door, collects a list of system-specific information, and sends it to the command and control (C&C) server to register the device and then get a unique identifier for the infected device. If the registration is successful, it uses the received unique identifier to further communicate with the C&C server and receive commands.
Most of the commands supported by the malware are common and trivial for typical back door or financial Trojans, such as intercepting incoming SMS, deleting SMS messages, wiping the data, etc. Out of these multiple commands, the most relevant for Android.Bankosy is call_forwarding; when this command is received by the malware from the C&C server, it executes a payload to enable call forwarding.
Full details of the malware is available from Symantec.