Banking apps not safe to use on Android devices
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
August 2, 2017
It now appears that a new kind of Android malware is tricking mobile banking customers to do things they don't want, particularly those in Britain and Germany.
To be sure, the so-called Svpeng software has been around since 2013 but its creator was caught and thrown in jail a year later.
But what users need to know and be careful about is that the same malware keeps on evolving nevertheless, thanks to other hackers trying their hand with the previous code developed by Svpeng.
Researchers at Kaspersky Lab have now discovered a similar strain that abuses Android's accessibility services to place an invisible overlay on top of otherwise legitimate banking apps installed on the Android device.
That same covert layer then intercepts touchscreen keypresses to the underlying application, resulting in a very unsafe banking app.
It simply acts like a key-logger, picking up a victim's login details as they access their banking account. With that information, and access to various text messages, hackers controlling the spyware can siphon off those sensitive details, among others.
The malware is disguised as a fake Flash player download, and marks are lured into installing the malicious software as a .apk extension.
And it doesn't matter if you're running the latest version of Android OS and the latest security patches since the evil app uses the granted accessibility privilege to do its dirty work, rather than relying on exploiting software vulnerabilities.
"The Trojan-Banker.Android.OS.Svpeng.ae is distributed from various malicious websites as a fake Flash player plugin," asserted Roman Unuchek, ?malware analyst at Kaspersky Lab.
"Its malicious techniques work even on fully updated devices with the latest Android version and all security updates installed. By accessing only one system feature, this Trojan malware can gain all necessary additional rights and steal lots of data."
Once the user is tricked into installing the Svpeng malware, it asks for full permission to Android accessibility services, which should be a clear red flag for most users.
Naturally, once that permission has been given to the OS, the nasty things start and its the beginning of the end.
According to Kaspersky: ``It grants itself device administrator rights, draws itself over other apps, then installs itself as a default SMS app, and grants itself some dynamic permissions that include the ability to send and receive SMS, make calls, and read contacts.``
``Furthermore, using its newly-gained abilities, the Trojan malware can also block any potential attempt in removing any device administrator rights, thereby preventing its uninstallation. It's interesting that in doing so it also blocks any attempt to add or remove device administrator rights for any other app too,`` Kaspersky Labs added.
Once this invisible man-in-the-middle malware is in place, it then envelops no less than fourteen banking apps in Britain, ten in Germany, nine in each of Turkey and Australia, eight in France, seven in Poland, and six in Singapore.
And if all of that wasn't bad enough, it also connects to a remote command-and-control center for further instructions from its masterminds. It can also be ordered to send text messages, hand over texts, contacts, lists of installed apps, and call logs.
It can also start intercepting incoming SMSes. Additionally, it can send back screenshots of the various device every time the keyboard is touched and it supports a few third-party keyboards as well as the standard Android one.
The only way to be completely safe against the malware other than just avoid downloading and installing random .apks from websites is to have your smartphone set on the Russian language.
If Svpeng detects it's on a Russian phone, it deactivates and deletes itself, a move Unuchek said was increasingly popular with Russian malware writers looking to avoid prosecution on their home turf. We'll keep you updated.
Source: Kaspersky Lab.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.