A dangerous Android banking trojan discovered that targets 22 Turkish mobile banking apps
ESET researchers have discovered a dangerous Android banking trojan that masquerades as a weather forecast application on Google Play. The malware, dubbed Trojan.Android/Spy.Banker.HU, targeted the users of 22 Turkish mobile banking apps, whose credentials were harvested using fake login forms.
Banking trojans are sophisticated piece of malware which designed to steal banking information by using message interception, form grabbing, keystroke logging, screen capturing, fake login forms and other methods.
According to ESET, Spy.Banker.HU is able to bypass SMS-based two-factor authentication by intercepting victims’ text messages. It also comes packaged with malicious functions such as remote device locking-unlocking and screen locking.
It was a trojanized version of the legitimate weather forecast application called Good Weather, which means it adopted weather forecast functionalities from the original application in order to convict it’s victims.
How Trojan.Android/Spy.Banker.HU works?
After the installation, a fake window requesting administrator rights appears. Enabling administrator rights allows the trojan to change the screen-unlock password and lock the screen. It also obtains permission to intercept text messages during the installation process.
The next step is to share device information with the C&C and to listen for remote commands (such as intercepting text messages, sending intercepted messages to C&C, locking the device etc).
If the victim runs one of the targeted banking applications, a fake login screen displays to harvest banking cerdentials and send it to attackers.
As for the device locking, we suspect this function enters the picture when cashing out the compromised bank account, to keep the fraudulent activity hidden from the user. Once locked out, all victims can do is wait until the malware receives a command to unlock the device.
How do i know if my device is infected?
If you have installed the ‘Good Weather’ application recently, go to ‘Settings -> Application Manager’ and search for the application. If the application appears with blue icon, it means that your device is infected. If the yellow icon appears, then you are safe.
If you find that your device is infected, it is possible to remove the malware manually. First of all you need to reverse the administrator right under Settings -> Security -> System update. Now you can uninstall the malicious application under Settings -> Application Manger -> Good Weather.
As a final note, targeted banking applications as follows:
If you find this post informative, please share it on social media using the ‘Share’ bar on the right sight of the page to support us.
Please subscribe to our free newsletter using the form below to receive latest cyber security news, vulnerability alerts, security updates, malware alerts, how-to guides, data breach and DDoS news, and scam alerts.
769 total views, 6 views today