Malware hijacks big four Australian bank’s apps, steals two-factor SMS codes
Millions of customers of Australia’s largest banks are the target of a sophisticated Android attack which steals banking details and thwarts two-factor authentication security. Commonwealth Bank, Westpac, National Australia Bank and ANZ Bank customers are all at risk from the malware which hides on infected devices waiting until users open legitimate banking apps. The malware then superimposes a fake login screen over the top in order to capture usernames and passwords.
The malware is designed to mimic 20 mobile banking apps from Australia, New Zealand and Turkey, as well as login screens for PayPal, eBay, Skype, WhatsApp and several Google services.
Apart from Australia’s Big Four banks it targets a range of other financial institutions including Bendigo Bank, St. George Bank, Bankwest, ME Bank, ASB Bank, Bank of New Zealand, Kiwibank, Wells Fargo, Halkbank, Yapı Kredi Bank, VakıfBank, Garanti Bank, Akbank, Finansbank, Türkiye İş Bankası and Ziraat Bankası. Along with stealing login details, the malware can also intercept two-factor authentication codes sent to the phone via SMS, forwarding the code to hackers while hiding it from the owner of the phone. With access to this information, thieves can bypass a bank’s security measures to log into the victims’ online banking account from anywhere in the world and transfer funds.
The malware attack has evolved over time, becoming more sophisticated as hackers update the software to defeat security countermeasures, says ESET senior research fellow Nick FitzGerald. “This is a significant attack on the banking sector in Australia and New Zealand, and shouldn’t be taken lightly,” FitzGerald says. “While 20 banking apps have been targeted so far, there’s a high possibility the e-criminals involved will further develop this malware to attack more banking apps in the future.”
Detected by ESET security systems as Android/Spy.Agent.SI, the malware sneaks onto Android devices by imitating the Adobe Flash Player application which many websites require in order to play streaming video. Once installed the app requests device administrator rights, checks for installed banking applications and then reports back to base in order to download the relevant fake login screens.
The infected Flash Player application does not come from Android’s official Google Play app store, instead phone users are tricked into installing via infected websites or bogus messages. To become infected Android owners must override the default security option and accept apps from unknown sources. The download comes from a range of bogus domains including flashplayeerupdate.com, adobeflashplaayer.com and adobeplayerdownload.com.