ESET security researchers have discovered an Android malware targeting banking customers in Australia — The malware also bypasses the two-factor authentication system

Four of Australia’s largest banks customers are being targeted by a sophisticated Android attack which has so far managed to remove two-factor authentication system and can steal banking details.

The four big banks involved are the Commonwealth Bank, National Australia Bank, Westpac and the ANZ Bank. These banks’ millions of customers have been put at risk by the malware which infects devices and hides from the user, waiting for the moment when a user opens the banking apps.

The flaw then puts a fake login screen on the phone and uses that to capture the users’ private details. It is designed to look like login screens for various popular and distinguished applications like PayPal, Skype, WhatsApp and some several Google services. It is also designed to mimic banking applications from Australia, New Zealand, and Turkey.

Fact: Cyber criminals develop one Android Malware every 17 seconds

The malware also targets other various banks in other countries like Turkey and New Zealand with banks like Bendingo Bank, St George Bank, BankWest, ME Bank, ASB Bank, Bank of New Zealand, KiwiBank, Wells Fargo, Halkbank, Yap Kredi Bank, Vakifbank, Garanti Bank, Akbank, Finansbank, Turkiye Is Bankas, and Ziraat Bankas.

This latest attack shows how malware attacks have evolved along the way, as hackers aim to make them more sophisticated and effective enough for them to not be detected by security measures. ESET senior researcher Nick FitzGerald said that “This is a significant attack on the banking sector of Australia and New Zealand, and should not be taken lightly. While 20 banking apps have been targeted so far, there is a high possibility the e-criminals involved will further develop this malware to further attack more banking apps.” he added.

The malware is also believed to stop the two-factor authentication system by intercepting the codes sent to a phone via SMS, and sending the code to the hackers rather. This potentially gives them all the necessary information they need to login into any person’s bank account and do as they want.

ESET security was the company which detected the malware; the firm said the malware affected by devices by imitating Adobe Flash Player, which is required to play streaming videos. It requests for administrator rights and starts checking for installed banking applications and then reports back to the hackers so that it can start inserting the fake login screen.

Flash player does not come from the protected Google Play Store but rather from bogus websites and messages which trick the users into installing them in their devices. Websites that the malware usually exists on include adobeplayerdownload.com, adobeflashplaayer.com, and flashplayeerupdate.com.

Google spokesperson warned users against allowing phones to install from untrusted sources on the web but rather should keep to those that are advised by Google. The spokesperson said over a billion devices were protected by Google Play, which routinely scans at least 200 million Android devices automatically every day.

To check if your device was affected or not you can check in the loss of device administrators found under Settings > Security >Device Administrators menu and you will see Flash player written there. If attempts to delete this flash player are made a false message claiming deletion of data if the process is gone with through appears but it is not valid.

This then disables its device administrator rights and makes it possible to uninstall the malware via Settings > Apps/Application manager > Flash Player > Uninstall. It’s reported that in some cases a fake warning comes over the Device Administration list to prevent deactivation. It leaves the user with one solution to restart the device in Safe mode, which restarts the device with all installed apps disabled, which therefore prevents the malware from blocking access to Device Administration list. However safe mode may be accessed in various ways, so it’s best to consult your manual or support website.

This comes as a blow to Android maker Google, which comes when they have been planning to step up efforts to block shady websites that contain bogus advertisements and pop ups which most of the times link to malware. Ways have to be found to prevent something of this magnitude from happening, and Google might have to look to iOS which makes its system impenetrable to outside downloads.

Ali Raza

Ali is a freelance journalist, having 5 years of experience in web journalism and marketing. He contributes to various online publications. With a master degree, now he combines his passions for writing about internet security and technology. When he is not working, he loves traveling and playing games.