Android Malware Variant Targeting Online Banking Users in Italy, Thailand

Researchers from MacAfee have uncovered a new variant of Android malware targeting banking customers in Italy and Thailand.

This particular Android banking Trojan is distributed via phishing links and pretends to be an app that checks certificate to ensure they are valid, Carlos Castillo, a malware researcher with McAfee Labs, wrote in a blog post Wednesday. Similar types of Android malware attacked banking customers in South Korea and India, and malware posing as mobile banking apps have been found in Spain and Portugal, Castillo said.

This Android Trojan’s execution is very simple. It prompts the user to enter a password for the online banking account. When the user submits the password, the malware saves the information for future fraud. The user sees a screen with a fake security token. This part is similar to what has been seen in other Android banking Trojan families, Castillo said.

Android banking Trojans infect phones and steal passwords when victims log onto their online bank accounts. Castillo called it a “very profitable line” of work for mobile malware developers.

Unlike earlier variants of the Trojan, this version does not send the password it harvested from the user to the attacker via Internet or SMS message. Instead, the malware sends an SMS to a specific Russian phone number with the message “I am here,” in Russian, or “init,” the first time the application runs, Castillo said. After the app is closed, the malware remains running in the background in order to intercept all incoming SMS messages.

However, not all captured messages are forwarded on to the remote control server. Instead, the malware runs through two filter mechanisms to isolate messages that contain the banking code generated by the banks’ servers and sent to the user via SMS to authenticate the transaction. The malware then calculates if the code is still valid by checking the difference between when the SMS was sent and the current time. If the code has expired, the SMS is not forwarded to the server, Castillo found.

One variant in this particular Android family masquerades as Trusteer Rapport, the banking security application from Trusteer, Castillo wrote. The fake Trusteer app looks entirely different from other Android Trojans, but exhibits the same behavior.

Users who have been targeted by either type of Android malware should reach out to their financial institutions to receive instructions on how to secure their accounts, Castillo suggested.