17 March 2015
If you use the Internet, you have probably had to prove your identity by jumping through an extra hoop. Perhaps it was entering the code from a special app, or copying the code from a text message. But if that information were intercepted, an attacker could gain access to your account. That’s exactly the scenario we look at this week.
Malwarebytes detects this particular piece of Android malware as Trojan.Spy.FakeBank.ir. This name is pretty self explanatory: The fake app (Trojan) is disguised as a banking app (FakeBank) targeting Iranian users (.ir) and can steal two-factor verification codes (Spy). In short, it’s not something anyone wants on their phone.
Once installed on a victim’s phone, the app monitors SMS activity for incoming verification messages from the Iranian bank it seeks to imitate. When one arrives, it copies the information into another message and sends it out via SMS, presumably to the app’s dastardly master.
Though the app targets Iranian Android users, Malwarebytes reports that the app’s command and control servers appear to be located in Latvia. Of course, that could simply mean that the attackers are renting server space in the northern Baltic state.
Interestingly, the report from Malwarebytes seems to indicate that the app only captures the two-factor authentication texts and not necessarily the victim’s main user name and password. We’ve seen some examples of mobile Trojans working in conjunction with desktop Trojans to steal victims’ banking information. That may be the case here.
How to Stay Safe
Malware is frequently targeted by region and language, and this example is no exception. Malwarebytes reports that this particular app targets Farsi speakers, so many of our readers will likely never encounter it.
Also, the app is usually found on third-party marketplaces and file sharing sites. This is a common tactic for distributing malware, especially in countries that haven’t always had access to the Google Play store. As of writing, Android users in Iran can download free apps from Google Play, but paid apps are off the table. As always, you should stick to the Google Play store for all your app needs, and never sideload apps from third party shops. Watch out for links from your friends,too, as some malware can hijack phones to spread itself to fresh victims.
And on the subject of mobile banking, it’s a good idea to restrict your monetary activities to cellular data connections or trusted Wi-Fi networks. Don’t log into your bank when connected to the local cafe’s wireless network. You never know who might be listening.
Lastly, consider installing mobile antivirus apps on your phone. Malwarebytes has its own offering, along with Editors’ Choice winners Bitdefender Mobile Security and Antivirus and avast! Mobile Security & Antivirus.
Banks have worked hard to make their mobile and online experiences as painless and secure as possible, but you’ll have to do some of the work, too. Don’t let a dangerous app undermine layers of security and separate you from your hard-earned cash.
Source – http://securitywatch.pcmag.com/mobile-security/332940-mobile-threat-monday-android-malware-breaks-banking-security