ESET recently discussed MITB malware that it calls Gataka, and concluded that its stability and functionality could make it popular with fraudsters in the future. Gataka is the same malware family that Trusteer calls Tatanga; but now Trusteer notes that a Tatanga variant has migrated onto the Android platform.
The new attack starts on the desktop browser where a web-injection in the desktop browser lures victims into installing a fake security app into their Android mobile. Targets are told that a new security feature requires them to install a special security app on their mobile device, and are told that 15 million users already use the system.
First they are asked which mobile platform they use. If they specify anything other than Blackberry or Android, they are then told the app isn’t necessary. If the platform is Blackberry, they are eventually told that installation has been successful, although no malware is actually installed. The process for Android, however, first asks for their mobile number, and indicates that a link has been sent by SMS to their phone. Targets are asked to follow the link and install the security application – which is, of course, the Tatanga malware.
Once installed on the mobile, Tatanga can capture all future SMS traffic, including bank authorization codes, which it sends to the fraudsters. In this way the fraudsters can initiate a fraudulent bank transfer and capture the security codes necessary to bypass the SMS-based out-of-band authorization methods used by many European banks.
Trusteer has noted campaigns particularly targeting banks in Spain, Portugal, the Netherlands and Germany – countries in which Android has more than 60% of the mobile market. “Today,” writes Trusteer’s Amit Klein in the company blog, “criminals are compromising Android devices to circumvent out-of-band security mechanisms that send SMS messages to authorize both web and mobile banking transactions. Going forward, we expect criminals to expand their attack tactics on mobile devices to mimic desktop attack techniques, including web injection, key loggers, and screen capture, among others.”