Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

European Banks Targeted by “SmsSecurity” Android Trojan

The cybercriminals behind a campaign first analyzed in 2014 continue to improve their Android malware, including with anti-analysis mechanisms, device rooting capabilities, and remote access features via the TeamViewer app.

The cybercriminals behind a campaign first analyzed in 2014 continue to improve their Android malware, including with anti-analysis mechanisms, device rooting capabilities, and remote access features via the TeamViewer app.

Operation Emmental was discovered by Trend Micro researchers in 2014, when attackers leveraged a combination of Android malware, rogue DNS servers and phishing websites to steal user data and bypass the SMS-based two-factor authentication systems of many financial institutions in Europe and Japan.

The security firm revisited Operation Emmental in January 2016, after noticing that the cybercriminals had updated their malware with a feature designed to lock users out of their smartphones. The malicious applications, named “SmsSecurity,” were designed to mimic one-time password (OTP) generators for various banks and the goal of the lockout feature was most likely to keep the victims occupied while their bank accounts were looted.

Trend Micro on Thursday reported that the SmsSecurity apps have been enhanced with new capabilities. In addition to stealing passwords found in SMS messages, the Android malware, detected as ANDROIDOS_FAKEBANK.OPSA, is now designed to make dynamic analysis more difficult.

Furthermore, the Trojan tricks users into activating accessibility services, which allows it to simulate user actions on the infected phone. Accessibility services are abused to install a device rooting tool and provide administrator privileges to the malware without any user interaction.

The SmsSecurity applications also install the TeamViewer QuickSupport app, enabling attackers to remotely take control of the infected device.

The malware is designed to work on devices set to languages such as English, German, Italian and French. The fake apps target banks in several European countries, including Austria, Hungary, Germany, Switzerland and Romania. It’s worth noting that many of the targets are cantonal banks, Swiss government-owned commercial banks.

“The relatively wide geographical distribution of these targets would explain the multilingual nature of its routines, as the targeted customers may be fluent in various languages,” Trend Micro researchers explained in a blog post.

“These new SmsSecurity variants represent an evolution in the capabilities of SmsSecurity. The use of Android’s accessibility features to implement malicious routines is a novel way to carry out automated activity that may well be imitated by other mobile malware families in the future,” they added.

Related Reading: Gugi Banking Trojan Can Bypass Android 6 Protection

Related Reading: Android Trojan Prevents Security Apps From Launching

Related Reading: Tordow Android Trojan Gets Root Privileges for New Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Chinese tech giant Huawei patched nearly 300 vulnerabilities in its HarmonyOS operating system in 2022.