Android malware spies on six Australia bank apps for credentials

An old banking trojan that was once limited to Russia has been updated to catch Australian banking customers.

According to Russian antivirus firm Dr. Web, at the beginning of 2016 Australian smartphones represented the fourth largest group to be infected the an Android banking trojan it labels “Android.SmsSpy.88.origin”.

The trojan first emerged in 2014 initially targeting banking customers in Russia and CIS countries, but a new version emerged in late 2015 to target non-Russian banking customers, including customers at six major Australian banks.

According to Dr. Web, it is designed to steal login credentials from smartphones with banking apps installed and send them to the attacker’s server. The malware monitors about 100 banking apps, including PayPal and Google Play.

The six Australian bank apps it monitors include those from Westpac, St. George, NAB, BankSA, ING Direct Australia and Bankwest, a Dr. Web spokesman told CSO Australia.

After identifying the presence of the real banking app, the malware generates a bogus form that looks like the victim’s bank app login page to trick the user into exposing their credentials.

It also captures SMS in order to grab SMS two-factor authentication codes that can be used to authorise overseas transfers.

Australian Android devices represented nearly 7 percent of 40,000 mobile devices worldwide that were compromised by the malware. Spain and India had slightly more infections than Australia, while devices in Turkey accounted for 18 percent.

Dr. Web said the trojan affected devices in 200 countries, most of which were running Android 4.4 KitKat, but also Android versions 5.1, 5.0, 4.1, and 4.1.

Like many other pieces of Android malware, it’s being distributed outside of the Google Play store and is packaged in a bogus version of Adobe Flash Player, supposedly for Android. Flash does not support any of the versions above.

Rival security vendor ESET reported a similar piece of Android malware earlier this year. Again, the trojan was being distributed outside of Google’s app store in a fake Flash installation and monitored the Android apps of Westpac, ANZ, Commbank, and NAB,.

Dr Web’s spokesman said these were two different pieces of malware, despite some superficial similarities.

The other feature that’s been added since 2014 is a ransomware lock page feature. Fortunately it does not encrypt data on affected phones.

Dr. Web notes that the trojan is being advertised on underground forums and sold as a service, offering customers a convenient administration panel to manage infected devices.

Join the CSO newsletter!

Error: Please check your email address.

Tags Dr. Webtwo-factor authenticationWestpacAndroid 4.4 KitKatAndroidpaypalBankSAransomware attacksBankWestsmsING DirectGoogle Playandroid sms spyAdobe Flash playerNABandroid malwarebanking TrojansSt.George

More about CSOESETGoogleNABPayPalWestpac

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place