Android Banking Trojan Difficult to Remove
Posted by: Timothy Weaver on 03/11/2016 12:06 PM
[
Comments
]
Dubbed Android/Spy.Agent.si, the malware camouflages itself as a legitimate mobile banking app, but instead of giving access to a person's bank account it steals login credentials.
ESET has discovered several particularly nasty traits associated with this malware. It has two nasty traits; first it mimics the bank's FlashPlayer-based mobile app to help sucker in the victim and then it bypasses the SMS two-factor authentication.
The first thing it does is request admin. rights. This action precipitates the further actions that make it near impossible to remove.
The next step the malware takes is to remove the bank's Flash Player icon from view. Next, the malware contacts its command and control server where it transmits basic information like model type, IMEI number, language, software development kit version and whether the device administrator is activated.
ESET malware researcher Lukas Stefanko said: "The malware then gathers the package names of installed applications (including mobile banking apps) and sends them to the remote server. If any of the installed apps are targets of the malware, the server sends a full list of 49 target apps, although not all of these are directly attacked.”
The next step in the assault has the malware create a false login screen that can only be removed when the device's log in credentials are inputted. Once fully installed the malware can intercept and divert the real bank's two-factor authentication SMS text so the victim is unaware anything is amiss.
The reason it is so difficult to remove is that the person gave up his or her administrative rights to the device. If the victim tries to remove the app, it creates a warning message that data could be lost. This is a bogus warning and the victim only needs to click continue to remove the app.
Source: SCMagazine
ESET has discovered several particularly nasty traits associated with this malware. It has two nasty traits; first it mimics the bank's FlashPlayer-based mobile app to help sucker in the victim and then it bypasses the SMS two-factor authentication.The first thing it does is request admin. rights. This action precipitates the further actions that make it near impossible to remove.
The next step the malware takes is to remove the bank's Flash Player icon from view. Next, the malware contacts its command and control server where it transmits basic information like model type, IMEI number, language, software development kit version and whether the device administrator is activated.
ESET malware researcher Lukas Stefanko said: "The malware then gathers the package names of installed applications (including mobile banking apps) and sends them to the remote server. If any of the installed apps are targets of the malware, the server sends a full list of 49 target apps, although not all of these are directly attacked.”
The next step in the assault has the malware create a false login screen that can only be removed when the device's log in credentials are inputted. Once fully installed the malware can intercept and divert the real bank's two-factor authentication SMS text so the victim is unaware anything is amiss.
The reason it is so difficult to remove is that the person gave up his or her administrative rights to the device. If the victim tries to remove the app, it creates a warning message that data could be lost. This is a bogus warning and the victim only needs to click continue to remove the app.
Source: SCMagazine
Comments
