Connect with us

Hi, what are you looking for?


Mobile & Wireless

European Banks Targeted by “SmsSecurity” Android Trojan

The cybercriminals behind a campaign first analyzed in 2014 continue to improve their Android malware, including with anti-analysis mechanisms, device rooting capabilities, and remote access features via the TeamViewer app.

The cybercriminals behind a campaign first analyzed in 2014 continue to improve their Android malware, including with anti-analysis mechanisms, device rooting capabilities, and remote access features via the TeamViewer app.

Operation Emmental was discovered by Trend Micro researchers in 2014, when attackers leveraged a combination of Android malware, rogue DNS servers and phishing websites to steal user data and bypass the SMS-based two-factor authentication systems of many financial institutions in Europe and Japan.

The security firm revisited Operation Emmental in January 2016, after noticing that the cybercriminals had updated their malware with a feature designed to lock users out of their smartphones. The malicious applications, named “SmsSecurity,” were designed to mimic one-time password (OTP) generators for various banks and the goal of the lockout feature was most likely to keep the victims occupied while their bank accounts were looted.

Trend Micro on Thursday reported that the SmsSecurity apps have been enhanced with new capabilities. In addition to stealing passwords found in SMS messages, the Android malware, detected as ANDROIDOS_FAKEBANK.OPSA, is now designed to make dynamic analysis more difficult.

Furthermore, the Trojan tricks users into activating accessibility services, which allows it to simulate user actions on the infected phone. Accessibility services are abused to install a device rooting tool and provide administrator privileges to the malware without any user interaction.

The SmsSecurity applications also install the TeamViewer QuickSupport app, enabling attackers to remotely take control of the infected device.

The malware is designed to work on devices set to languages such as English, German, Italian and French. The fake apps target banks in several European countries, including Austria, Hungary, Germany, Switzerland and Romania. It’s worth noting that many of the targets are cantonal banks, Swiss government-owned commercial banks.

Advertisement. Scroll to continue reading.

“The relatively wide geographical distribution of these targets would explain the multilingual nature of its routines, as the targeted customers may be fluent in various languages,” Trend Micro researchers explained in a blog post.

“These new SmsSecurity variants represent an evolution in the capabilities of SmsSecurity. The use of Android’s accessibility features to implement malicious routines is a novel way to carry out automated activity that may well be imitated by other mobile malware families in the future,” they added.

Related Reading: Gugi Banking Trojan Can Bypass Android 6 Protection

Related Reading: Android Trojan Prevents Security Apps From Launching

Related Reading: Tordow Android Trojan Gets Root Privileges for New Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.