More than a year ago, all pc users were warned about the personal data stealing malware Android.Bankosy. Now the updated version of the Trojan is out and it can steal passwords delivered via voice call-based two-factor authorization systems again.
Usually, 2FA systems are used by banks to communicate one-time passcodes to people. As these passcodes have been delivered via SMS, voice call delivery is becoming increasingly common.
Android.Bankosy is a dangerous malware, which introduces a call-forwarding feature that sends 2FA calls to a C&C server so the code can be intercepted and exploited by cyber criminals.
What malware does is to enable call-forwarding on an infected phone, and is also able to enable silent mode to avoid alerting a victim about incoming calls. The successful attack depends on the victim’s basic login credentials having already been stolen, though the malware represents a worrying new development in breaking through banking security.
This is how Android.Bankosy works, presented by Dinesh Venkatesan from Symantec:
“Once the malware is installed on the victim’s device, it opens a back door, collects a list of system-specific information, and sends it to the command and control (C&C) server to register the device and then get a unique identifier for the infected device. If the registration is successful, it uses the received unique identifier to further communicate with the C&C server and receive commands.
Most of the commands supported by the malware are common and trivial for typical back door or financial Trojans, such as intercepting incoming SMS, deleting SMS messages, wiping the data, etc. Out of these multiple commands, the most relevant for Android.Bankosy is call_forwarding; when this command is received by the malware from the C&C server, it executes a payload to enable call forwarding.”