Connect with us

Hi, what are you looking for?


Mobile & Wireless

European Banks Targeted by “SmsSecurity” Android Trojan

The cybercriminals behind a campaign first analyzed in 2014 continue to improve their Android malware, including with anti-analysis mechanisms, device rooting capabilities, and remote access features via the TeamViewer app.

The cybercriminals behind a campaign first analyzed in 2014 continue to improve their Android malware, including with anti-analysis mechanisms, device rooting capabilities, and remote access features via the TeamViewer app.

Operation Emmental was discovered by Trend Micro researchers in 2014, when attackers leveraged a combination of Android malware, rogue DNS servers and phishing websites to steal user data and bypass the SMS-based two-factor authentication systems of many financial institutions in Europe and Japan.

The security firm revisited Operation Emmental in January 2016, after noticing that the cybercriminals had updated their malware with a feature designed to lock users out of their smartphones. The malicious applications, named “SmsSecurity,” were designed to mimic one-time password (OTP) generators for various banks and the goal of the lockout feature was most likely to keep the victims occupied while their bank accounts were looted.

Trend Micro on Thursday reported that the SmsSecurity apps have been enhanced with new capabilities. In addition to stealing passwords found in SMS messages, the Android malware, detected as ANDROIDOS_FAKEBANK.OPSA, is now designed to make dynamic analysis more difficult.

Furthermore, the Trojan tricks users into activating accessibility services, which allows it to simulate user actions on the infected phone. Accessibility services are abused to install a device rooting tool and provide administrator privileges to the malware without any user interaction.

The SmsSecurity applications also install the TeamViewer QuickSupport app, enabling attackers to remotely take control of the infected device.

The malware is designed to work on devices set to languages such as English, German, Italian and French. The fake apps target banks in several European countries, including Austria, Hungary, Germany, Switzerland and Romania. It’s worth noting that many of the targets are cantonal banks, Swiss government-owned commercial banks.

“The relatively wide geographical distribution of these targets would explain the multilingual nature of its routines, as the targeted customers may be fluent in various languages,” Trend Micro researchers explained in a blog post.

Advertisement. Scroll to continue reading.

“These new SmsSecurity variants represent an evolution in the capabilities of SmsSecurity. The use of Android’s accessibility features to implement malicious routines is a novel way to carry out automated activity that may well be imitated by other mobile malware families in the future,” they added.

Related Reading: Gugi Banking Trojan Can Bypass Android 6 Protection

Related Reading: Android Trojan Prevents Security Apps From Launching

Related Reading: Tordow Android Trojan Gets Root Privileges for New Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.