A new Android banking Trojan has surfaced and gripped the entire banking industry across the US and Europe by appearing as a Flash Player App.
The Trojan has already targeted the customers of around 94 major banking and financial apps in US and Europe including Santander, Coinbase, American Express, PayPal, Deutsche Bank, Credit Karma and Wells Fargo, etc. This is a very sophisticated and advanced piece of malware, which is quite dangerous as well because it can easily evade the SMS-based two-factor authentication system.
According to Kai Lu, a security researcher at Fortinet, users who actively use banking applications on their mobiles need to remain cautious and beware of this new malware campaign. Lu stated that:
“This banking malware can steal login credentials from 94 different mobile banking apps.”
Here is how it attacks:
When installed, the fake Flash Player app appears at the launcher and shows a screen overlapping all the other apps. When the user clicks on Cancel, this view disappears only to restart again. It always remains on top of your display screen. When the user clicks on Activate button for deleting the request, the Trojan receives device administrator rights. The Flash Player icon then disappears but in the background the Trojan remains active. After gaining administrator rights, the self-defense mechanism of the malware prevents it from getting uninstalled.
This banking malware is capable of targeting various popular social media apps as well including Google Play Store, Facebook,Facebook Messenger, Calculator, Whatsapp, Twitter, Snapchat, Skype, Instagram and Viber.
This malware can also intercept SMS messages and this is why it is believed to have the capability of bypassing SMS-based two-factor authentication mechanism. It can also send and upload SMS messages along with running a factory reset and collecting sensitive information like the IMEI code of the device, ISO country code, phone’s model/build, phone number. The information is later sent to the trojan’s command-and-control server.
Lu analyzed that the banks targeted through this Trojan are located in “the United States, Germany, France, Australia, Turkey, Poland and Austria.”
Using a fake login window, the malware also tricks the user into entering login credentials for the apps installed on the device and the information is transferred to the C&C server.
The good news is that this Trojan can be removed by manually disabling the malware’s administrative rights using: Settings>Security>Device Administrators>Google Play Services>Deactivate.
When the rights of admin are deactivated, the user can find Flash Player update and uninstall it.