November 1, 2018 By Shane Schick 2 min read

Nearly 30,000 Android users accidentally downloaded banking malware after being tricked by personalized phishing forms based on the apps they use.

Google removed 29 malicious apps from its Play Store after learning about the threat, according to a report from ESET. Although the apps were attributed to different developers, the researchers discovered enough common code to suggest that they were all created by the same malware author or threat group.

The malware enables the attackers to send and receive text messages on infected Android devices, which allows them to get past multifactor authentication (MFA) protocols that might otherwise have protected the user’s banking data. The malware can also impersonate software from victims’ financial institutions and download additional apps to compromised devices.

A Unique Approach to Distributing Banking Malware

Creating phony versions of banking sites is one of the oldest phishing schemes in the book, but these attackers took a more subtle approach. They scanned the other, legitimate apps on the device, grabbed some HTML code and used it to create a tailor-made form to fool victims with bogus error messages.

Some victims received a notification that their app was no longer compatible with their device and had been removed, for instance. Meanwhile, the attackers used a dropper to check for sandboxes and emulators. If they didn’t find any, a loader was decrypted with a payload containing the banking malware.

The 29 malicious apps included popular utilities such as battery managers, device boosters and cleaners, the researchers noted. Others, such as phony horoscope apps, targeted users seeking casual entertainment.

The Case For Client-Based Fraud Detection

People tend to be pretty fast on their smartphones, which means there may not be a lot of time between the moment a user downloads an app with a banking Trojan and when the payload is executed.

IBM experts recommend investing in client-side fraud detection to close this gap, along with technology that can identify malicious apps as early as possible. Given how easily cybercriminals can not only replicate banking sites but create a one-to-one approach with personalized forms, organizations will need to be ready to adapt to new phishing techniques faster than ever.

Source: ESET

More from

ONCD releases 2024 Report on the Cybersecurity Posture of the U.S.

4 min read - On May 7, the Office of the National Cyber Director (ONCD) released the 2024 Report on the Cybersecurity Posture of the United States. This new document is a report card on how well cyber policy followed the guidelines set by the National Cybersecurity Strategy, introduced in March 2023. Here’s what you need to know about the newly released report. Fundamental shifts in cyber roles Over the past year, the U.S. national cybersecurity posture was driven by the 2023 National Cybersecurity…

CISA wants private industry to publicly commit to Secure by Design

4 min read - The tech industry has the power to protect the world from nation-state threat attacks, cyber crime and those wanting to compromise data and manipulate critical infrastructure. But with this power comes great responsibility, which, to be honest, the tech industry has not been that interested in holding. But at the RSA Conference (RSAC) in San Francisco, the cybersecurity and tech communities took steps to exert some power and take responsibility. They took the Secure by Design pledge, a promise to…

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today