Android malware coders have come up with a clever trick to mask fraudulent bank transactions, operating by changing the user's smartphone PIN, then locking the device, and by doing so, keeping the victim busy while they empty their bank account.

The first version of this malware appeared in December 2015 but went mostly unreported, targeting a small number of users. Since then, this Android malware, known as the Fanta SDK, has evolved in capabilities but has kept its mode of operation the same.

Malicious banking apps spread via fake bank notification emails

Trend Micro, the security firm that discovered this threat, says that crooks are using spam emails to distribute their malware-laced applications.

A user first receives an email with their bank's email address spoofed, and they're told that a new security update for their banking application was recently released and that they should update their app. Right now, the app only targets the users of Russian banks.

If the user has one of those apps installed on their phone, they'll likely follow the download link included in the email and download the app on their phone. It is recommended that users update the mobile banking app through the Google Play Store, and not via manual downloads.

Malicious app needs admin privileges to show phishing screens

After the user downloads and installs the app, they'll be prompted to grant it administrative privileges. Trend Micro experts explain why users should not give any suspicious app admin privileges.

“ Keep in mind that most legitimate apps do not request admin privileges. This is a common red flag users should catch early when dealing with mobile malware. ”

The malicious app then sends these credentials to the crooks' server, which will use them to make fraudulent transactions.

Malware will also change your PIN when you try to uninstall it

If the user decides they don't need a mobile banking app, or if they see something suspicious and attempt to uninstall the malicious app, the Fanta SDK comes with a self-protection method that automatically sets a random smartphone PIN and then locks the device.

At this stage, seeing that its presence was detected, the malware just starts emptying your bank account. By the time the user finds a way to unlock their phone, usually via a reflash, hours, if not days or weeks have passed.

The malware has the opportunity to make a clean get-away with all the victim's money if the infected host has multiple bank accounts and doesn't notice the fraudulent transactions in time to file a complaint with their bank.

Fanta SDK tied to wide-reaching banking malware operations

Researchers have connected this app's master servers with the infrastructure of other malware operations that deliver the Cridex, Ramnit, and ZBOT banking trojans.

Trend Micro says the app has a mode of operation similar to that of the crooks from Operation Emmental, who stole money from bank accounts in Switzerland, Sweden, and Austria, using a novel technique at that time. The group was believed to be of Russian origin.

Below is the Fanta SDK trying to pose as the Sberbank mobile banking application. The real loading screen is on the left while the fake is on the right.

UPDATE: The researchers at Zscaler have also published a report on this malware.