Android Trojan Targets 200+ Global Financial Apps

Written by

An Android banking trojan that targets more than 232 banking apps has been uncovered, targeting financial institutions globally.

According to Quick Heal Security Labs, Banker A2f8a is designed for stealing login credentials, hijacking SMS messages, uploading contact lists and texts to a malicious server, displaying an overlay screen (to capture details) on top of legitimate apps and other malicious activities.

The fact that the malware can intercept all incoming and outgoing SMS from the infected device is important, given that this enables the attackers to bypass SMS-based two-factor authentication on the victim’s bank account (OTP).

The trojan is being distributed through a fake Flash Player app on third-party stores. This is a red flag, given that Adobe Flash player has been discontinued after Android 4.1 version because it’s available in the mobile browser itself.

In an analysis, Bajrang Mane, who leads the threat analysis, incident response and automation teams at Quick Heal, explained its function:

After installing the malicious app, it will ask the user to activate administrative rights. And even if the user denies the request or kills the process, the app will keep throwing continuous pop-ups until the user activates the admin privilege. Once this is done, the malicious app hides its icon soon after the user taps on it. In the background, the app carries out malicious tasks—it keeps checking the installed app on the victim’s device and particularly looks for 232 apps (banking and some cryptocurrency apps). If any one of the targeted apps is found on the infected device, the app shows a fake notification on behalf of the targeted banking app. If the user clicks on the notification, they are shown a fake login screen to steal the user’s confidential info like net banking login ID and password.

In order to stay safe from this and other banking trojans, users should avoid downloading apps from third-party app stores or from links provided in texts or emails. They should also always keep ‘Unknown Sources’ disabled, and verify app permissions before installing any app, even from official stores such as Google Play. And, any OS or app updates should be installed as they’re released.

What’s hot on Infosecurity Magazine?