Australian largest banks are the main target of an Android attack which steals banking details and thwarts two-factor authentication security.
The customers of National Australia Bank, ANZ Bank, Commonwealth Bank and Westpac are currently threatened by the malware which hides on infected devices waiting until users open legitimate banking applications. After that, the malware superimposes a fake login screen over the top in order to steal usernames and passwords.
The Android malware is created to mimic 20 mobile banking apps from Australia, New Zealand and Turkey, as well as login screens for PayPal, eBay, Skype, WhatsApp and several Google services.
Apart from Australia’s Big Four banks, the malware targets a range of other financial institutions including Bendigo Bank, St. George Bank, Bankwest, ME Bank, ASB Bank, Bank of New Zealand, Kiwibank, Wells Fargo, Halkbank, Yapı Kredi Bank, VakıfBank, Garanti Bank, Akbank, Finansbank, Türkiye İş Bankası and Ziraat Bankası.
Alongside stealing customers’ login details, the malware can also intercept two-factor authentication codes sent to the phone via SMS — forwarding the code to hackers while hiding it from the owner of the phone. With access to this information, thieves can bypass a bank’s security measures to log into the victims’ online banking account from anywhere in the world and transfer funds.
According to the senior researcher Nick FitzGerald, malware attack has evolved over time, becoming more sophisticated as hackers update the software to defeat security countermeasures.
“This is a significant attack on the banking sector in Australia and New Zealand, and shouldn’t be taken lightly,” FitzGerald stated. “While 20 banking apps have been targeted so far, there’s a high possibility the e-criminals involved will further develop this malware to attack more banking apps in the future.”
Security experts reported that the malware sneaks onto Android devices by imitating the Adobe Flash Player application which many websites require in order to play streaming video. After being installed, the application requests device administrator rights, checks for installed banking applications and then reports back to base in order to download the relevant fake login screens.
The infected Flash Player application does not come from Android’s official Google Play app store, instead phone users are tricked into installing via infected websites or bogus messages. In order to become infected, the Android owners must override the default security option and accept apps from unknown sources. The download comes from various corrupted domains including flashplayeerupdate(dot)com, adobeflashplaayer(dot)com and adobeplayerdownload(dot)com.
A spokesperson from Google warned against allowing your phone to install any applications downloaded from the web.
“It’s important to only install applications from sources you trust, such as Google Play“, the spokesperson said. “Over 1 billion devices are protected with Google Play which conducts 200 million security scans of devices per day.”
Users should also be aware that the bogus messages often insist that they must install extra media player software, or update existing software such as Adobe Flash.