Android devices have been the most common and favorite target of malware such as Trojan because of the ecosystem’s lack of a centralized mechanism to roll out security updates and fixes.
But unlike most Trojan that targeted Android handsets in the past, a new mobile banking Trojan escalates its level of sophistication with new capabilities to defy removal attempts and bypass two-factor authentication. Security researchers at ESET were the first to detect the Trojan that hides its real identity under the cloak of a mobile banking app. In reality, it works to steal mobile banking credentials and steal sensitive data.
Banks based in New Zealand, Australia and Turkey were first to see the Trojan at work, with their customers having been targeted by the malware. The Trojan is designed to copy a bank’s FlashPlayer-based mobile app in order to deceive its target victims. At the same time that it performs the mobile app replication, the Trojan also bypasses additional layers of security such as two-factor authentication.
Because of the near-perfect appearance of the banking app, a user would be convinced to grant it administrative privileges once it is downloaded and installed onto the device. The request for administrative rights is the Trojan’s first attempt at defending itself from future attempts to remove it because by then it hides itself from the view of the owner. According to ESET researchers, administrative rights make the Trojan difficult to uninstall.
The malware goes on to expel the Flash Player icon of the bank from the device before the Trojan contacts the command and control server to send basic data of the handset such as the IMEI number, model, the software development kit version and additional information about whether the device administrator is active.
Once those pieces of data are transmitted to the command and control server, the attacker then collects data about the installed apps in the device before forging a bogus login page of a banking firm that will serve as the attack vector. Once this is done, the Trojan would gather other sensitive personal data such as information on a user’s Google account. The user will only be able to eliminate the fake login page by inputting the login credentials.
When the Trojan completes the entire procedure for launching its attack, the malware will then have the capability to work around even the most secure security protocols adopted by companies at present, such as the two-factor authentication where an SMS will be sent to the user for further verification. When the owner tries to uninstall the app, security experts warn that some data might be deleted or the device might even be deactivated.