A new banking Trojan discovered by ESET targets banking applications on Android devices. The malware can steal the login credentials of mobile banking customers and has the ability to bypass Two Factor Authentication (2FA) by intercepting and deleting SMS messages. Identified as Android/Spy.Agent.SI this malware can steal login credentials from 20 different mobile banking apps.

New Year Sees New Threats

Registered in late January or February of 2016 the Android/Spy.Agent.SI malware is available for download from several different servers. The URLs that host the malicious files are regenerated hourly making it difficult to detect with antivirus software.

The Trojan spreads by imitating a Flash Player application and even has a legitimate-looking icon. Once the malware has been installed, it requests administrative privileges to protect itself from being uninstalled. Next the malware checks if any of the targeted banking applications are installed on the device. If it finds a corresponding bank application, the malware loads fake login screens for each app from its command and control server. Once the victim launches the banking application, a fake login screen is placed over the app, and the screen is locked until the username and password are submitted.

CryptoJoker – Ransomware You Can Negotiate With

Cerber: Ransomware Speaks Bitcoin Demand

2FA Defeated

Once the cybercriminals have the username and password, they can use it to login to the bank account and start siphoning money off. The malware even allows the cybercriminals to retrieve all the SMS text messages received by the infected device and remove them.

"This allows SMS-based two-factor authentication of fraudulent transactions to be bypassed, without raising the suspicions of the device's owner," says Lukáš Štefanko, ESET Malware Researcher specializing in Android malware.

The banking Trojan has targeted large banks in Australia, New Zealand, and Turkey. "The attack has been massive, and it can be easily re-focused to another set of target banks," warns Štefanko. The 20 banks currently targeted are the largest financial institutions in each of the three countries.

Since the development is continuous, the malware could easily be modified to target large banking institutions in North America and Europe. As cybercriminals incorporate better methods of obfuscation and encryption into the malware, it will continue to become more malicious as it robs bank accounts of companies’ hard earned dollars.

How to Stop Ransomware Attacks

If the cybercriminals were able to breach your network once and extort money from you; they will return and attempt to do it over and over again. I’ve documented one customer that has been hit with ransomware three times. It is up to you to lock down your network, and after getting hit with ransomware once, you will begin to understand why that is so difficult to do. Here are a few things you can do right now to give yourself a fighting chance against cybercriminals and ransomware.

Employee Education: Cybercriminals use social engineering attacks to manipulate your employees to react to phishing emails and phone calls. Educate your employees to scrutinize suspicious emails and not divulge sensitive information over the telephone.

How Many of Your Employees Will Get Phished Today?

Gone Phishing: Why Human Resources is Vulnerable to Crypto Ransomware Attacks

Backups: Review and run regular backups of important files. If you are hit with ransomware, you can use a previous backup to restore your data. This can be a time-consuming process, and you might lose some work, but you may be able to avoid paying the ransom with a good backup.

Software Updates: It’s critical that you keep software updated and deploy security updates and service packs immediately. Patches address security vulnerabilities in software that cybercriminals exploit.

Advanced Endpoint Protection: Antivirus and a firewall are no longer sufficient measures to keep cybercriminals out of your network. Advanced Endpoint Protection uses behavior-based analysis to detect suspicious behavior that antivirus has missed.

Deploy WatchPoints: "WatchPoints" are files placed on your network to lure attackers who have breached your defenses. For example one WatchPoint offered is a Microsoft Word document that alerts you when it is accessed. The idea is to give it a very attractive title like “Sensitive Passwords.docx” to tempt the cybercriminals. If the document is accessed, you and the WatchPoint team automatically receive a notification.

Contact us to see how a simple WatchPoint sensor disguised as a Microsoft Word file works. When someone opens the document, you will get an email alert.

Further Reading…

How to Safely Download Software

When Failure to Act Results in a Compromised Network – A Sad Cryptolocker Tale

New Banking Trojans Emerge with the Death of the Dyre Virus