Bad guys are always looking for ways to up their game and find ways around the defenses that security companies and users put in their way. To wit, an Android banking Trojan called Bankosy that has added a new capability that allows attackers to bypass voice-based two-factor authentication.

The malware has been around for a while, doing the things that banking Trojans do, which is stealing user credentials and then money. One of the ways that the malware accomplishes that is by intercepting SMS messages from banks that send one-time passwords as part of a two-factor or two-step verification scheme. The attackers behind the malware can use those OTPs in conjunction with the credentials Bankosy already has stolen to log into victims’ accounts.

Banks are aware of this tactic and they attempt to circumvent it by calling users directly to verify a login attempt. Researchers at Symantec recently discovered that Bankosy has added functionality that can enable call forwarding, so that those calls from banks are sent to the attackers rather than the users.

“Once the malware is installed on the victim’s device, it opens a back door, collects a list of system-specific information, and sends it to the command and control (C&C) server to register the device and then get a unique identifier for the infected device. If the registration is successful, it uses the received unique identifier to further communicate with the C&C server and receive commands,” Dinesh Venkatesan of Symantec wrote in an analysis of the malware.

“The malware starts a call intent with the destination number obtained from the C&C server to enable unconditional call forwarding on the target device.”

Bankosy also can set an infected device to silent mode so that the victim isn’t even aware of incoming calls.

Image from Flickr stream of John Voo.