Android malware steals bank credentials – Is mobile banking safe?

March 17, 2012
FakeToken

FakeToken

Mobile banking has been steadily gaining popularity, as more and more consumers get access to smartphones with internet capabilities. Today, almost every major financial institution in the world provides their account holders with easy-to-use net and mobile banking systems. But, as with every other good thing out there, malicious intent is never far around the corner. Security concerns related to the use of mobile banking applications have been recently brought to the forefront. The latest Android malware found in the wild is proving to be one of the most dangerous.

A new piece of malware was discovered by security researchers at McAfee, one that primarily targets Android systems. The app can remotely steal a user’s banking credentials from the user’s mobile device, without even triggering anti-malware apps.

As explained by McAfee researcher Carlos Castillo in a blog post, the application, dubbed FakeToken, targets major financial institutions by posing as a Token Generator app. When the application is installed, the malware even goes so far to mimic the targeted bank’s logo and color scheme, adding a certain credibility to the scheme, and making it hard for users to distinguish between the legitimate and the malicious applications.

FakeToken

Misleading App Icon

When running the application, users are presented with a WebView component that displays an HTML/JavaScript webpage, which is supposed to be an official Token Generator. The user is initially prompted to enter the first factor of authentication that is used to obtain access to the banking account. The application shows an error if this step is not completed. On clicking “Generar” (Generate, the malware is targeted to the users of Spanish banks), the app shows a fake token (in fact, a random number), and then proceeds to send the password to a specific cell phone number along with the device’s IMEI and IMSI numbers. The same information is also sent to a control server along with more data such as the device’s phone number. The malware gets the list of control servers in an XML file inside the original APK.

McAfee’s Castillo added that the malware also contains commands to update itself, spy on the infected system, and create a schedule to auto-run at a later date. The app retrieves all the contact information stored on the phone and serializes this information to send it to a control server.

The security researcher warned that similar malware that target other banking institutions are constantly evolving and with the ever-increasing popularity of Android and mobile banking applications, we can expect even more threats of this kind to appear.

Do you use mobile banking? What, if any, security features would you recommend to avoid problems with malware in the future?

Comments

  • alex2792

    Another day,another android malware what else is new.

  • Josh

    are these available from google play?

  • Uppal

    Ankit – Is google play is going to get these malware out, assuming the enterprise adoptions ?