Millions of customers of Australia’s big four banks and other banks and financial institutions globally were recently the target of a mobile malware attack (20 banking apps in total). The sophisticated attack on Android devices is able to steal banking credentials and outsmart two-factor authentication security. It is anticipated that these types of mobile malware attacks are only going to increase over time.

The malware was detected in March 2016 as Android/Spy.Agent.SI by ESET security systems. It sneaks onto Android devices by masquerading as the Adobe Flash Player application, which many websites require in order to play streaming video. Once installed, the app requests device administrator rights, checks for installed banking applications and sends this information to a remote server in order to download fake login screens.

How It Works

The malware launches as an overlay. If a target banking application is launched, the malware is triggered and a fake login screen appears over the original mobile banking one. The overlay behaves like a lock screen, which cannot be closed without the user entering their login credentials. After the user fills in their personal data, the malware does not verify the credibility of the data entered; it simply sends it to a remote server. The fake overlay then closes and the legitimate mobile banking is shown. All of the information exchanged between the device and the server is encoded, except for the stolen credentials, which are sent in plain text. This is an example of a Man-in-the-Middle attack.

As well as stealing login details, the malware can also intercept two-factor authentication codes sent to the phone via SMS. All received text messages can be sent to the server, which allows the attacker to intercept text messages from the bank and immediately remove them from the client device, to avoid detection. With access to this information, criminals can bypass a bank’s security measures to log into the victims’ online banking account from anywhere in the world and transfer funds.

The malicious Flash Player application is not found on Android’s official Google Play app store. Phone users are duped into installing the app via infected websites or phony messages. To become infected, Android owners are required to override the phone’s default security option and accept apps from “unknown sources”. The download is available from a number of fake domains, including flashplayeerupdate.com, adobeflashplaayer.com and adobeplayerdownload.com.

How It Can Be Taken Down

There are two parts that need to be taken down for this type of malware. Firstly, the actual application download link can be removed from the Internet, which will stop any future downloads. However, if someone already has the app installed on their device, they are still at risk.

Secondly, the actual phishing site needs to be removed, but this is trickier. FraudWatch International can decompile the malware attack to find the associated phishing files and take action on them.

Removing Malware from Your Android Device

You need to disable administrator rights and then uninstall the fake Flash Player app from your device. You can do this by choosing Settings -> Security -> Device administrators -> Flash Player-> Deactivate. Attempts to remove Flash Player from this list will generate a fake alert warning that data may be lost, but it is safe to press OK. Once administrator rights have been disabled, you can uninstall the malware by selecting Settings -> Apps/Application manager -> Flash Player -> Uninstall.

In some cases the malware superimposes a fake warning over the Device Administration list to prevent deactivation. To solve this, simply restart the Android device in Safe Mode, which restarts the device with all installed apps disabled. This prevents the malware from blocking access to the Device Administration list. Safe Mode is activated in different ways on different devices, so consult your manual or a support website.

Google already provides its Google Safe Browsing service, to blacklist unsafe websites, but they are now expanding the list to block dodgy advertisements and pop-ups which pose as buttons, security warnings or other misleading notifications. The most common scams are those which insist that visitors to a website install extra media player software, or update existing software such as Adobe Flash, in order to watch online videos, while actually trying to sneak malicious software onto your device.

FraudWatch International recommends having Anti-Virus software installed on your Android devices. It is also important to always download apps directly from the Google Play store, not from email links or websites.