Connect with us

Hi, what are you looking for?



Android Malware Variant Targeting Online Banking Users in Italy, Thailand

Researchers from MacAfee have uncovered a new variant of Android malware targeting banking customers in Italy and Thailand.

Researchers from MacAfee have uncovered a new variant of Android malware targeting banking customers in Italy and Thailand.

This particular Android banking Trojan is distributed via phishing links and pretends to be an app that checks certificate to ensure they are valid, Carlos Castillo, a malware researcher with McAfee Labs, wrote in a blog post Wednesday. Similar types of Android malware attacked banking customers in South Korea and India, and malware posing as mobile banking apps have been found in Spain and Portugal, Castillo said.

Android MalwareThis Android Trojan’s execution is very simple. It prompts the user to enter a password for the online banking account. When the user submits the password, the malware saves the information for future fraud. The user sees a screen with a fake security token. This part is similar to what has been seen in other Android banking Trojan families, Castillo said.

Android banking Trojans infect phones and steal passwords when victims log onto their online bank accounts. Castillo called it a “very profitable line” of work for mobile malware developers.

Unlike earlier variants of the Trojan, this version does not send the password it harvested from the user to the attacker via Internet or SMS message. Instead, the malware sends an SMS to a specific Russian phone number with the message “I am here,” in Russian, or “init,” the first time the application runs, Castillo said. After the app is closed, the malware remains running in the background in order to intercept all incoming SMS messages.

However, not all captured messages are forwarded on to the remote control server. Instead, the malware runs through two filter mechanisms to isolate messages that contain the banking code generated by the banks’ servers and sent to the user via SMS to authenticate the transaction. The malware then calculates if the code is still valid by checking the difference between when the SMS was sent and the current time. If the code has expired, the SMS is not forwarded to the server, Castillo found.

One variant in this particular Android family masquerades as Trusteer Rapport, the banking security application from Trusteer, Castillo wrote. The fake Trusteer app looks entirely different from other Android Trojans, but exhibits the same behavior.

Users who have been targeted by either type of Android malware should reach out to their financial institutions to receive instructions on how to secure their accounts, Castillo suggested.

Advertisement. Scroll to continue reading.
Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights