A new Android trojan has the ability to intercept text messages and bypass the SMS-based two-factor authentication system protecting customers’ bank accounts.
Lukas Stefanko, a malware analyst at ESET, notes in a blog post that the trojan, detected as “Android/Spy.Agent.SI,” is currently targeting customers of 20 large banks located in Australia, New Zealand, and Turkey via their mobile apps.
The malware tricks users into downloading it onto their devices by masquerading as Adobe Flash Player. Upon installation, it requests that the user grant the malicious app administrator rights, before seemingly disappearing from view.
Rest assured, however, that while the Flash Player icon might no longer be visible, the trojan is just getting started.
At this point, Android/Spy.Agent.SI contacts a remote server hosting malicious APK files whose corresponding URL paths are regenerated hourly in a bid to avoid detection by anti-virus software.
The trojan uses this connection to send information about the infected device, along with the package names of installed applications, to its operators. Stefanko explains that if any of the apps are identified as a target, the remote server responds with a list of 49 apps that Android/Spy.Agent.SI is equipped to attack via a phishing attack:
“The malware manifests itself as an overlay, appearing over the launched banking application: this phishing activity behaves like a lock screen, which can’t be terminated without the user entering their login credentials. The malware does not verify the credibility of the data entered, instead sending them to a remote server, at which point the malicious overlay closes. The malware does not focus only on mobile banking apps, but also tries to obtain Google account credentials as well.”
Just in case the victim’s account is protected with two-factor authentication, Android/Spy.Agent.SI also has the ability to send all SMS communications to the remote server upon request.
This allows the malware’s author to bypass 2FA protection.
Nick FitzGerald, a senior research fellow at ESET, put the threat into perspective when speaking to ABC News:
“We’re not seeing a large amount of this happening, but the fact that the bad guys behind this are now attacking the two-factor authentication mechanisms used by these banks means that it’s very likely that we’ll see more Android banking Trojan software, malware, and possibly smaller sorts of malware for other platforms doing this in the future.”
Fortunately, there are things you can do to protect yourself.
First, if you ever see anything masquerading as Adobe Flash Player on Android, you can be sure it’s a fake. Flash Player hasn’t created a client for Android since 2012, so there’s no way anything legitimate is still making the rounds on the mobile platform.
Second, you would be wise to install mobile apps from the official Google Play Store rather than less-trustworthy third-party sites, and should always keep a mobile anti-virus solution running on your phone as an added layer of defense.
Last but not least, if you do become infected with Android/Spy.Agent.SI, you can remove the malware by disabling the fake Flash Player’s administrator privileges in Settings or by removing it while in Safe Mode.
For more information on the trojan, please read ESET’s report.