A strain of Android malware which can steal the login credentials of mobile banking users has been discovered by ESET researchers.
The detected malware, Android/Spy.Agent.SI, is said to present victims with a fake version of the login screen of their banking application and locks the screen until they enter their username and password. Using the stolen credentials, the thieves can then log in to the victim’s account remotely and transfer money out.
Lukas Stefanko, ESET Malware Researcher who specialises in Android malware, explains that the cyber criminals can even get the malware to send them all of the SMS text messages received by the infected device, and remove these. This allows SMS-based two-factor authentication of fraudulent transactions to be bypassed, without raising the suspicions of the device’s owner.
The Malware spreads as an imitation of Flash Player application. After being downloaded and installed, the app requests device administrator rights, to protect itself from being easily uninstalled from the device. After that, the malware checks if any target banking applications are installed on the device. If so, it receives fake login screens for each banking app from its command & control server. Then, once the victim launches a banking app, a fake login screen appears over the top of the legitimate app, leaving the screen locked until the victim submits their banking credentials, the experts warned.
According to the ESET researchers, this malware is subject to ongoing development. While its first versions were simple, and their malicious purpose easily identifiable, the most up-to-date versions feature better obfuscation and encryption.