A banking trojan dubbed BankBot originally only targeted Russian bank apps but now includes bogus sign-in pages for Australian banking apps.
The malware was hidden in an app called Funny Videos 2017 which Google has now removed from the Google Play Store, but only after the app had been downloaded between 1,000 to 5,000 times.
The trojan checks for the presence of legitimate banking apps and displays a fake sign-in overlay when the user attempts to launch a targeted bank app. The malware also attempts to steal payment card information by monitoring when users launch popular apps, such as Snapchat, Twitter, and the Play Store. When these apps are launched the malware will display a fake Google Play payment dialogue, requesting payment card details.
Russian security firm discovered BankBot infected apps on Google Play in January, but back then it targeted 40 banking apps, mostly in Russian language markets, as well as several US banking apps.
According to Securify researcher Niels Croese, the two newer BankBot infected apps target over 400 bank apps, including Australian banking and insurance brands. Among them are the Australian versions of the ING Direct and Citibank apps, AMP, ANZ, Bankwest, Bank of Queensland, Macquarie, NAB, Suncorp, St George, the Commonwealth Bank of Australia, and Westpac. It also targets New Zealand bank apps, and brands from several European markets.
The malicious features were likely added to the Funny Videos app in an update released on April 8, according to Croese.
Researchers at Dr Web in January warned of an expected rise in banking trojans targeting Android users due to the source code for one malicious banking app being published on a hacker forum.
Security firm ESET in February also found a bogus version of the Good Weather app on Google Play, which contained the same banking malware targeting 22 Turkish banking apps.