​Hackers target major Australian banking apps for cash

Russian speaking hackers are targeting Android devices installed with apps from nearly all Australian banks in order to intercept SMS codes used to authorise transactions.

Receiving an SMS from your bank to authorise a payment is far more convenient than the more secure alternative enforced by some European banks.

However, a criminal group, dubbed The Postal Group, may push Australian banks towards the European model after turning its sights on Android smartphone apps from Australia’s biggest banks.

Apps from the Commonwealth Bank of Australia (CBA), Westpac, National Australia Bank (NAB), are included in a hit list in Android malware known as “OpFake”, according to a new report from Poland’s computer emergency response team (CERT.PL)

The “OpFake” Android malware has been around in various forms for several years, however a recent sample discovered by CERT.PL reveals its ambitions for Australia.

On infected smartphones, the malware presents a pop-up message over Google’s Gmail app that requests the target enter an email address and password. It will also present a request for credit card information in a pop-up when Google’s app store for Android, Google Play, is active.

The sting for the SMS one-time code system used by most Australian banks is that the malware looks for signs of installed apps that connect to the banking websites. These include the Bank of Queensland, CBA, NAB, St George, SunCorp and Westpac. In other words, Australia’s big four and the major brands behind them.

Although the malware doesn’t explicitly go after the bank account usernames and passwords, the information it may have collected from an infected smartphone — a Gmail user name and password — could be enough to hijack a transaction in the future. Studies have shown that users frequently reuse passwords from one account on others.

“In the case of this app, attackers do not need a computer malware counterpart to transfer funds from the victim’s account. By taking control of the user messages, they have access to the SMS-based one time password,” CERT.PL noted.

“By using the application overlay technique they can also get the user to send login and password details. So, by attacking only a user’s phone they gain almost complete control over user’s bank accounts,” it added.

The Android malware is not isolated to Australian targets and seeks out signs of apps from British banks, including Santander, RBS, Lloyds, Halifax, HSBC and Barclays. It can also be considered a possible emerging threat since CERT.PL's data also shows that only a few hundred devices have been infected across the globe.

CERT.PL has named the hacking crew behind the Android malware "The Postal Group" because it has previously posed as postal services in Australia, Poland, Turkey, Denmark and the UK to target victims with file-encrypting malware.

The group has paid special attention to Australia, posing as Australia Post, the Australian Federal Police (AFP), and NSW Office of State Revenue to dupe victims in different campaigns between 2013 and today.

Perhaps the highest profile target in which Australia Post was used as the bait was ABC New 24, whose live programming was disrupted briefly after one of its PC was infected by crypto-ransomware last October.

More recently the AFP’s logo was used to convince targets to download a supposed infringement notice that actually was a file that installed the CryptoLocker malware.

CERT.PL has also tied the group to the 9,000 PCs in Australia that CSO Australia reported in December had been infected with TorrentLocker ransomware.

As security firm ESET noted at the time, the malware stole each victim’s address book and email credentials before locking files using a strong encryption algorithm, likely in order to build a database of future targets.

Typical of ransomware attacks, it demanded payment in Bitcoin via a Tor-protected hidden website in exchange for the key to unlock the files.

Blast from the past?

Try our new Space Invaders inspired video game NOW.

What score can you get ?

Join the CSO newsletter!

Error: Please check your email address.

Tags android malwareAndroid devicesSMS code​HackersAustralian banking appsCommonwealth Bank of Australia (CBA)RussiansWestpacOpFakeNational Australia Bank (NAB)Suncorpst george

More about Australian Federal PoliceAustralia PostCommonwealth BankCommonwealth Bank of AustraliaCSOFederal PoliceGoogleHSBCNABNational Australia BankWestpac

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place