It’s a rough year to be an Android fan: a new banking Trojan has infected over 200,000 Android devices over the last month, by influencing or pushing users to enter their online or banking credentials into a screen overlaid onto the open app.
The Android Trojan is targeting a collection of over 90 banks and other financial services — including JP Morgan Chase, Credit Karma, Bank of America, Deutsche Bank, and American Express — in the U.S. and throughout countries in Europe, including Turkey and Austria.
“Certain [financial] apps leverage SMS to send fraud alerts,” says Tim Condello, technical account manager for information security company RedOwl. “With [the malware’s] ability to intercept calls and texts it could impede the user’s ability to know that there is fraud on that account.”
Intercepting SMS and calls is a kind of way to crack two-factor authentication without technically cracking it, according to Condello — the malware sits inside SMS traffic and requires administrator rights to work, so technically two-factor authentication hasn’t quite been shoved wide open, just…skirted.
The two-factor method of authentication is, of course, employed by a multitude of apps, but is a favorite among banks and other money services one might use on mobile — which is being utilized more and more people across the globe, when conducting individual banking.
“Many banks are using [two-factor] to authenticate who the user is,” says Don Duncan, security engineer at behavioral biometrics company NuData Security; who added that for banks, stopping these types of data breaches is an integral part of building a relationship of trust with mobile users.
“The question [for us] becomes, how can we help the banks allow users to safely bank [on mobile]?” says Duncan. “The nice thing about behavioral biometrics is that it can occur without being in the user’s face.”
The malware works the way most Trojans work—by overlaying a branded screen onto the app a user opens, whereby the user is asked to input their credit card information or banking credentials.
Displaying a fake login screen over a banking app is definitely a concern, but the good news is that it’s very easy to see if your Android device is one of the horde: the Trojan will also display a screen asking for credentials over social media apps like Facebook or Twitter, which is a pretty clear-cut indicator that something is off with your phone.
Even though this Trojan has infected more than 200,000 individual devices in half a dozen countries, and has targeted 90+ banks, the other intriguing thing about this malware is the fact that it actually requires a very specific set of circumstances to occur before it, well, works.
First, the user can’t have any time of anti-virus software on their device, because the malware will be picked up immediately. Next, the malware has also been shuffled out of the Google Play store, so downloading it requires a user to do what’s called “sideloading”—essentially downloading an app outside of the Play store.
Moving down through a checklist of factors, at the end the malware can only work with administrator rights, granted by the user.
As it’s easy to tell if your device is infected — at least if a credit card information screen is showing up over Facebook — it’s equally easy to disarm the Trojan: simply turn off administrator rights on settings, and then uninstall the Trojan like you would anything else.
So far no version of the malware appears to have migrated over to Apple products.