Security researchers at Symantec have discovered an Android Trojan that is designed to target users of online banking services through various phishing pages the attackers deliver from cloud servers.
According to their findings, the Android.Fakelogin Trojan works to copy a legit login page from a banking app that has been installed in the targeted device, and create a fake login page – essentially a phishing page – that the attackers would use to overlay the legit app login.
This tactic is called social engineering, and holds the potential to extract banking credentials from a vast demographic of users. Unlike other phishing campaigns that disguise as a legit app, Android.Fakelogin on the other hand first determines what kind of a banking app is in the device and then maneuvers the app’s user interface by overlaying it with their tailored malicious page.
Android.Fakelogin identifies what phishing page to customize by penetrating a remote command-and-control server that hosts a cloud-based logic. Symantec claims it is hard to reverse engineer the malware because of the stealthy way it operates.
The Trojan seems to work on old versions of Android, with the exception of Marshmallow. The malware comes as game apps that are sent as payloads from the downloader malware in order to bring other malware to the targeted device.
Once the malware is downloaded and installed in a device, it disguises itself as an SMS app and forces permission to administer device settings. It is hard to detect the fake app because its icon is hidden.
When the malware is able to gain the required permission, it will start stealing data after downloading several application package names from the cloud and stores them in what is called a preference file. The file is used to identify the target banking apps, which will be force-injected with malicious content to carry out the phishing campaign.
The identification process includes searching for the name of app that runs on the handset and if the result includes a name of an app that is listed in the preference file, the malware transmits the app’s package name to the cloud in order to imitate it.
The approach is highly flexible because it depends on the cloud, meaning updates are not necessary as is the case with other malware in coping with security tools.
How to mitigate the security issue?
Multiple steps for permission is necessary such as the two-factor verification in order to protect against this threat. Also, download the new Android 6.0 Marshmallow because Android.Fakelogin’s features do not work on it. Stay updated with your software and make sure that the apps you install comes from legit app stores.