The trojan called SpyLocker is described as a new version of Android malware which shows credential phishing popups for customers of EU banks and some of the popular Android applications
In fact, Intel Security researchers noticed SpyLocker in a previous campaign, when it was disguised as a Flash Player application for Android users, distributed via websites with adult material. The attack targeted customers of banks in Turkey, Australia, and New Zealand.
Now the security experts are reporting on a new wave of malware attacks, which distribute the same fake Flash for Android application, or sometimes a fake Android system update app, in order to infect users. However, there is one difference this time – apart from their own servers, hackers are also utilizing hacked WordPress and Joomla websites.
Intel Security researchers claim that the newly founded banking trojan is rather similar to Police Locker – an Android ransomware variant which was active in 2014. Actually, there are some similarities indeed, however, they don’t matter that much.
According to Intel Security, the latest SpyLocker campaign only targets customers of banks in France, Poland, and the UK. Also, the company claims that it discovered the necessary modules to target Russian banks, however, the hackers didn’t seem to be interested in doing so.
Apart from showing classic popups with bank login forms for mobile banking apps created by different financial institutions, SpyLocker also targets some popular apps and services such as Google accounts, eBay or Instagram.
As soon as the trojan collects the desired information, it sends it to a C&C server, together with some other details about the infected device. Besides, SpyLocker is capable of intercepting incoming SMS messages, check a list of installed apps, access the call history, etc.
In fact, SpyLocker appears to be a carbon copy of all the same things that other modern Android banking trojans can do.
The malicious functionality of SpyLocker is powered by its ability to attain administrator privileges. In case users avoid granting such rights to applications they’ve downloaded from a suspicious website, then most of them should be safe.
Android.SmsSpy is another interesting Android malware version which was discovered last week by Dr.Web. This malware blended ransomware and banking trojan features, targeting only Russian users.