Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Android Trojan Posing as Flash Player Targets Banking Apps

Security researchers at ESET have discovered a new piece of Android malware that poses as Flash Player, but instead steals login credentials from roughly 20 mobile banking apps.

Security researchers at ESET have discovered a new piece of Android malware that poses as Flash Player, but instead steals login credentials from roughly 20 mobile banking apps.

Dubbed Android/Spy.Agent.SI, the Android banking Trojan was observed in a campaign targeting customers of large banks in Australia, New Zealand and Turkey and is capable of intercepting SMS communications, meaning that it was designed to bypass SMS-based 2FA (two-factor authentication) systems.

ESET’s Lukas Stefanko explains that the malware was hosted on several domains that were registered early this year, with the URL paths to the malicious APK being regenerated each hour, in an attempt to avoid URL detection. The researcher also notes that the Trojan masquerades as Flash Player and that it has a “legitimate-looking” icon.

Android MalwareAfter installation, the app requests admin rights and then hides the Flash Player icon, although the malware remains active in the background. The Trojan communicates to the command and control (C&C) server, sending out information on the device such as model type, IMEI number, language, SDK version, and whether the device administrator is activated.

Next, the malware gathers info on installed applications, including mobile banking apps, and sends them to the remote server, which responds with a list of 49 target apps, although only some are directly attacked. The Trojan overlays a window on top of the launched banking application, a phishing activity meant to steal user’s login credentials for mobile banking apps and Google accounts.

The fake login screen that overlays the original banking one is triggered when the application is launched and closes after the user fills their personal data. The information is not verified, but instead it is immediately sent to the server in plain text, although the communication between the device and the server is normally encrypted, Stefanko said.

Fake Login Screens from Android Malware

The Android banking Trojan also captures all received text messages to the server, which allows its operators bypass 2FA mechanisms. All SMS text messages from the bank are immediately redirected to the attacker and removed from the client device, so as not to attract any suspicion.

The mobile banking applications targeted by the malware include those from Westpac, Bendigo Bank, Commonwealth Bank, St. George Bank, National Australia Bank, Bankwest, Me Bank, ANZ Bank, ASB Bank, Bank of New Zealand, Kiwibank, Wells Fargo, Halkbank, Yapı Kredi Bank, VakıfBank, Garanti Bank, Akbank, Finansbank, Türkiye İş Bankası and Ziraat Bankası.

Advertisement. Scroll to continue reading.

According to ESET, users can uninstall the malware by simply deactivating its device admin rights (Settings > Security > Device administrators > Flash Player) and then simply removing it (Settings > Apps/Application manager > Flash Player > Uninstall).

However, the malware’s operators can also send commands to disable deactivation of device administrator rights, which might complicate things. In such cases, the malware actually creates an overlay activity that presents users with a confirmation button, which, in fact, prevents them from deactivating the admin rights.

Stefanko explains that users can deactivate administrator privileges from Safe mode, since third-party applications are not loaded or executed in this mode. Thus, the user can safely perform the deactivation and then uninstall the malicious application.

Last month, Palo Alto researchers revealed that the Xbot Android Trojan was mimicking the login pages of 7 different banks’ apps, while also capable of locking devices, stealing SMS messages and contact information, and intercepting messages. In January, Symantec security researchers detailed the Bankosy Android malware, which could also deceive voice call-based two-factor authorization (2FA) systems.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...