Android Threat of the Week: ‘Smart’ Malware Targets Banking Credentials
A new form of "smart" Android malware can not only steal your online banking information, but update itself in the future and secretly send contact information stored on your device off to the Bad Guys.
By Al Sacco
Managing Editor, CIO
This week’s Android security threat is a doozy.
We’ve all heard about Android malware that steals data stored on users’ devices or accesses system resources. But one recently identified type of “smart” malware that’s meant to steal online banking credentials takes the theft process a step further by enabling persistent communication with external servers, so the malware could, for example, update itself with new commands or add new server addresses for future communication, according to online security company McAfee.
This new malware currently targets a number of widely-use European banks, and it comes in the form of a “token generator” app, which supposedly provides users with a security token that can be used to initiate an online banking session. And the app mostly looks official since it uses the banks logos and colors.
From a McAfee blog post on the subject, penned by Malware Researcher Carlos Castillo:
“To get the fake token, the user must enter the first factor of authentication (used to obtain initial access to the banking account). If this action is not performed, the application shows an error. When the user clicks “Generar” (Generate), the malware shows the fake token (which is in fact a random number) and sends the password to a specific cell phone number along with the device identifiers (IMEI and IMSI). The same information is also sent to one of the control servers along with further data such as the phone number of the device.”
The app also includes a number of nasty lines of code that could be used to obtain users’ contact lists and then send them off to a control server.
“From man-in-the-middle attacks we now see more sophisticated, remote-controlled banking Trojans that can get more than one factor of authentication and update itself to, for example, modify a phishing attack to get other required credentials–such as the name or the ID number of the user–to perform electronic fraud,” writes Castillo. “Due to the increasing popularity of Android and mobile-banking applications, we expect that more threats like this will appear.”
I’d say that’s a certainty. And it’s honestly a bit frightening to see just how quickly modern mobile malware is evolving.
Al Sacco was a journalist, blogger and editor who covers the fast-paced mobile beat for CIO.com and IDG Enterprise, with a focus on wearable tech, smartphones and tablet PCs. Al managed CIO.com writers and contributors, covered news, and shared insightful expert analysis of key industry happenings. He also wrote a wide variety of tutorials and how-tos to help readers get the most out of their gadgets, and regularly offered up recommendations on software for a number of mobile platforms. Al resides in Boston and is a passionate reader, traveler, beer lover, film buff and Red Sox fan.