Security Experts:

Connect with us

Hi, what are you looking for?



Android Malware Variant Targeting Online Banking Users in Italy, Thailand

Researchers from MacAfee have uncovered a new variant of Android malware targeting banking customers in Italy and Thailand.

Researchers from MacAfee have uncovered a new variant of Android malware targeting banking customers in Italy and Thailand.

This particular Android banking Trojan is distributed via phishing links and pretends to be an app that checks certificate to ensure they are valid, Carlos Castillo, a malware researcher with McAfee Labs, wrote in a blog post Wednesday. Similar types of Android malware attacked banking customers in South Korea and India, and malware posing as mobile banking apps have been found in Spain and Portugal, Castillo said.

Android MalwareThis Android Trojan’s execution is very simple. It prompts the user to enter a password for the online banking account. When the user submits the password, the malware saves the information for future fraud. The user sees a screen with a fake security token. This part is similar to what has been seen in other Android banking Trojan families, Castillo said.

Android banking Trojans infect phones and steal passwords when victims log onto their online bank accounts. Castillo called it a “very profitable line” of work for mobile malware developers.

Unlike earlier variants of the Trojan, this version does not send the password it harvested from the user to the attacker via Internet or SMS message. Instead, the malware sends an SMS to a specific Russian phone number with the message “I am here,” in Russian, or “init,” the first time the application runs, Castillo said. After the app is closed, the malware remains running in the background in order to intercept all incoming SMS messages.

However, not all captured messages are forwarded on to the remote control server. Instead, the malware runs through two filter mechanisms to isolate messages that contain the banking code generated by the banks’ servers and sent to the user via SMS to authenticate the transaction. The malware then calculates if the code is still valid by checking the difference between when the SMS was sent and the current time. If the code has expired, the SMS is not forwarded to the server, Castillo found.

One variant in this particular Android family masquerades as Trusteer Rapport, the banking security application from Trusteer, Castillo wrote. The fake Trusteer app looks entirely different from other Android Trojans, but exhibits the same behavior.

Users who have been targeted by either type of Android malware should reach out to their financial institutions to receive instructions on how to secure their accounts, Castillo suggested.

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack