Updated version of Android Banker (opens in a new tab) The spyware has been detected, stealing the victim’s bank details and, in some cases, even money.
According to Microsoft cybersecurity researchers (opens in a new tab), an unknown threat entity launched a smishing (SMS phishing) campaign to trick people into downloading TrojanSpy: AndroidOS / Banker.O. This is malware (opens in a new tab) a variant that is able to extract all kinds of sensitive information, including two-factor authentication (2FA) codes, account credentials and other personally identifiable information (PII).
What makes this attack particularly disturbing is the way the whole operation secretly works.
Granting main permissions
When a user downloads malware, they must grant certain permissions such as MainActivity, AutoStartService, and RestartBroadCastReceiverAndroid.
This allows it to intercept calls, access call logs, messages, contacts and even network information. By being able to do these things, the malware can also receive and read two-factor authentication codes coming via SMS and delete them to make sure the victim doesn’t suspect anything suspicious.
To make matters worse, the app can issue silent commands which means that 2FA codes that come via SMS can be received, read and deleted in complete silence – no notification sounds, no vibrations, no screen backlight, nothing.
The threats behind the campaign are unknown, but Microsoft knows that the app, first seen in 2021 and significantly improved since then, can be accessed remotely.
The extent of the attack is also unknown, as it is difficult to know exactly how many people are affected. Last year, Banker was observed to target only Indian consumers, and given that the phishing SMS bears the logo of the Indian bank ICICI, it is safe to assume that Indian users are also targeted.
“Some malicious APKs also use the same Indian bank logo as the bogus app we investigated, which could indicate that actors are constantly generating new versions to keep the campaign alive,” the researchers said.
By: Register (opens in a new tab)