Android Bank Apps Steal SMS

Tuesday, December 18, 2012 @ 01:12 PM gHale

Android apps designed to steal mobile transaction authentication numbers (mTANs) sent by banks to their customers over SMS (Short Message Service) were on Google Play, said researchers from antivirus vendor Kaspersky Lab.

A gang that uses a variant of the Carberp banking malware to target the customers of several Russian banks created the apps, said Denis Maslennikov, a senior malware analyst at Kaspersky.

Trojan Hits Open Market
Trojan Executes with Left Mouse Click
Malware Poses as Trend Micro AV
Backdoor Found at NDIS Level

Banks use mTANs as a security mechanism to prevent cybercriminals from transferring money from compromised online banking accounts. When a transaction initiates from an online banking account, the bank sends a unique code called an mTAN via SMS to the account owner’s phone number. The account owner has to input that code back into the online banking website in order to authorize the transaction.

In order to defeat this type of defense, cybercriminals created malicious mobile apps that automatically hide SMS messages received from numbers associated with the targeted banks and silently upload the messages back to their servers. Victims end up tricked into downloading and installing these apps on their phones via rogue messages displayed when visiting their bank’s website from an infected computer.

SMS stealing apps have previously worked with the Zeus and SpyEye banking Trojan programs. These programs are the Zeus-in-the-Mobile (ZitMo) and SpyEye-in-the-Mobile (SpitMo) components. However, this is the first time they found a rogue mobile component designed specifically for the Carberp malware, Maslennikov said.

Unlike Zeus and SpyEye, the Carberp Trojan program primarily targets online banking customers from Russia and other Russian-speaking countries like Ukraine, Belarus or Kazakhstan.

The apps found on Google Play masqueraded as mobile applications from Sberbank and Alfa-Bank, two of Russia’s largest banks, and VKontakte, the most popular online social networking service in Russia, Maslennikov said. Kaspersky contacted Google on Wednesday and all CitMo variants were gone from the market by Thursday, he said.

Leave a Reply

You must be logged in to post a comment.