The kind of features that once were reserved solely for top-shelf malware is becoming standard equipment for mobile malware. The latest must-have feature is the ability to bypass two-factor authentication and it is showing up in more and more malicious apps, especially those that impersonate banking apps.
A couple months ago a new version of the Bankosy Trojan was discovered that had the ability to intercept SMS messages from banks on infected devices and then forward them to the attacker. Some banks use texts as an out-of-band method of 2FA, sending short codes to users, who then enter them in the app or online. Attackers have been developing methods to circumvent this authentication scheme, and the most effective has turned out to be a combination of stealing texts and overlaying banking app login screens.
Many phishing campaigns and normal desktop versions of malware have relied on authentic-looking bank login sites to fool users into entering their credentials. But on the mobile platform, users employ dedicated mobile apps that are far more difficult to impersonate or replace with malicious versions. So attackers have begun employing a tactic in which malware will display an overlay screen whenever a targeted mobile banking app is opened. That screen mimics the actual app’s login screen and allows the attacker to steal the victim’s credentials.
Researchers at Eset have come across another mobile Trojan using this tactic, as well. The malware affects Android devices and masquerades as Adobe Flash.
“The malware manifests itself as an overlay, appearing over the launched banking application: this phishing activity behaves like a lock screen, which can’t be terminated without the user entering their login credentials. The malware does not verify the credibility of the data entered, instead sending them to a remote server, at which point the malicious overlay closes. The malware does not focus only on mobile banking apps, but also tries to obtain Google account credentials as well,” Lukas Stefanko of Eset wrote in an analysis of the malware, which is known as Android/Spy.Agent.SI.
This malware also can intercept SMS messages from banks and right now is targeting customers of numerous banks in New Zealand, Turkey, and Australia.