As more consumers and businesses have moved to mobile as their main platform for banking, attackers have taken notice and followed suit. The number of mobile banking Trojans increases every day, but some are more sophisticated than others, and researchers have discovered new variants in an old Android malware family that can attack more than 30 separate mobile banking apps, as well as PayPal and other financial apps.
Known as Acecard, this family of malware has been circulating for several years, and has had a variety of interesting capabilities that have evolved over time. From the beginning, Acecard has targeted banking and other high-value apps through the use of overlay screens that sit on top of the legitimate log-in screen for a targeted app. The screens ask for users’ credentials, which then are sent to the attackers.
The Acecard malware now can perform this trick against more than two dozen separate banking apps, and the Trojan has been found attacking users in many countries, including the United States, Russia, Australia, and Germany.
“The most recent versions of the Acecard family can attack the client applications of more than 30 banks and payment systems. Considering that these Trojans are capable of overlaying any application upon command, the overall number of attacked financial applications may be much larger,” researcher Roman Unuchek of Kaspersky Lab wrote in an analysis of the new version of the Acecard malware.
“The cybercriminals are using virtually every available method to propagate the banking Trojan Acecard.”
Another key capability of Acecard is the feature that allows it to intercept incoming text messages and parse them to look for authorization codes from banks. Many banks use SMS messages as a second form of authentication for transfers, new device registration, and other transactions. Acecard contains a list of bank phone numbers and will look for incoming texts from those numbers.
“The Trojan has a list of phrases, so it can compare incoming text messages and identify those with verification codes for bank operations or registration, and send just the code to the cybercriminal, rather than the full SMS,” Unuchek said.
Acecard also has the ability to wipe an infected Android device and reset it to its factory settings, on command from the attacker. Unuchek said the Trojan spreads through a few different methods, often being disguised as an Adobe Flash update or an adult video. The malware also is spread through other Trojan downloaders, and Unuchek said some versions of that downloader ill exploit vulnerabilities on a device in order to get full privileges on the phone. One version of the downloader was found in the Google Play app store.
“The cybercriminals are using virtually every available method to propagate the banking Trojan Acecard, be it under the guise of another program, via official app stores, or via other Trojans. This combination of propagation methods, which includes the exploitation of vulnerabilities in the operating system, along with Acecard’s capabilities make this mobile banker one of the most dangerous threats to users,” Unuchek said.
Image from Flickr stream of Rob Bulmahn.