Quick Heal Security Labs has spotted an Android banking Trojan that imitates more than 232 apps including those offered by Indian banks.
Quick Heal Security Labs has spotted an Android banking Trojan that imitates more than 232 apps including those offered by Indian banks. The malware is known as Android.banker.A2f8a (previously detected as Android.banker.A9480). According to researchers at Quick Heal Security Labs, Android.banker.A2f8a is being distributed through a fake Flash Player app on third-party stores. After getting downloaded, it keeps checking for installed apps on the victim’s device and particularly looks for the 232 banking and cryptocurrency apps. Once any of the targeted apps is found on the device, the app shows fake notifications disguised as coming from the targeted app and asks users to log in with their credentials and ultimately tricks them by stealing their login IDs and passwords. Sanjay Katkar, joint MD and CTO, Quick Heal Technologies, has said users should avoid downloading apps from third party app stores or links provided in SMSes and emails to keep their credentials safe. In addition, users should install a reliable mobile security solution that detects and blocks malicious apps before they infect device and steal sensitive data, Katkar said.
Quick Heal Security Labs is the threat research and response division of Quick Heal Technologies, one of the leading providers of IT security solutions. According to the Quick Heal Lab, after installing the malicious app, it will ask the user to activate administrative rights. And even if the user denies the request or kills the process, the app will keep throwing continuous pop-ups until the user activates the admin privilege. Once this is done, the malicious app hides its icon soon after the user taps on it. In the background, the app carries out malicious tasks – it keeps checking the installed app on the victim’s device and particularly looks for 232 apps (banking and some cryptocurrency apps).
If any one of the targeted apps is found on the infected device, the app shows a fake notification on behalf of the targeted banking app. If the user clicks on the notification, they are shown a fake login screen to steal the user’s confidential info like net banking login ID and password. The malware can also intercept all incoming and outgoing SMSs from the infected device which enables attackers to bypass SMS-based two-factor authentication on the victim’s bank account (OTP), said Quick Heal Research. The malware is also able to send SMSes with a dynamically received text and number from the server’s side. The malware can also set the device’s ringer volume silent in order to suppress SMS notifications.