Mobile Security Threats
Android Users Under Attack As Banking Malware Source Code Was Posted Online
Security researchers warn that the source code of an Android banking malware was posted online, along with information on how to use it, which means that users of Android devices are very likely to face an increasing number of attacks in the short term.
Security firm Dr. Web reveals that it has already discovered one malware developed with this leaked source code, adding that it’s distributed as popular applications either directly injected in APKs available online or in third-party stores.
The malware has been flagged as Android.BankBot.149.origin and tries to get administrator privileges on compromised computers. Once it’s granted full privileges, the malware removes the app’s icon from the home screen, trying to trick people into believing it was removed.
But on the other hand, it remains active in the background, and it connects to a command and control server to await for commands. It can perform a wide array of tasks, such as send and intercept SMS messages, steal contacts, track devices, make calls, show phishing dialogs, and steal sensitive information, such as banking details and credit card data.
“Like many other Android bankers, Android.BankBot.149.origin steals confidential user information by tracking the launch of online banking applications and payment system software. One sample examined by Doctor Web security researchers controls over three dozen such programs. Once Android.BankBot.149.origin detects that any of the aforementioned applications have been launched, it loads the relevant phishing input form to access user bank account login and password information and displays it on top of the attacked application,” the firm explains.
Once popular applications are launched, including here Facebook, Instagram, WhatsApp, YouTube, and even the Google Play Store, the malware launches a phishing dialog similar to the one showing up when you make purchases on Google Play, asking for credit card information.
Furthermore, it can intercept text messages, send them to the attacker, and then remove them from the phone, which is particularly dangerous in the case of bank notifications.
The security firm warns that this is just one form of malware based on the publicly available source code, explaining that users should be super-careful when downloading APKs from third-party stores.
Bad news, fandroids: Mobile banking malware now encrypts files
First Faketoken stole credentials, now it holds data to ransom
Cybercrooks have outfitted ransomware functionality onto an already dangerous mobile banking Trojan.
The modified Faketoken can steal credentials from more than 2,000 Android financial applications, security researchers at Kaspersky Lab warn. Based on telemetry, Kaspersky Lab estimates that Faketoken has claimed over 16,000 victims in 27 countries. Users in Russia, Ukraine, Germany and Thailand have been the most heavily affected. Variants of the malware first surfaced back in July.
Stealing financially related data on an industrial scale remains Faketoken’s main scam. The ransomware element of the Android nasty is problematic for victims but not as potent as its developers might have hoped, as Kaspersky Lab researchers explain.
“The newly added data-encryption capability is unusual in that most mobile ransomware focuses on blocking the device rather than the data, which is generally backed-up to the cloud,” Kaspersky Lab researchers explain. “In Faketoken’s case, the data – including documents and media files such as pictures and videos – is encrypted using an AES symmetric encryption algorithm that can, in some cases, be decrypted by the user without paying a ransom.”
Faketoken poses as various programs and games, including Adobe Flash Player. During the initial infection process, the Trojan demands administrator rights, permission to overlay other apps or to be a default SMS application – often leaving users with little or no choice but to comply. Among other things, these rights enable Faketoken to steal data (such as contacts and files either directly or indirectly, through phishing pages).
For example, the Trojan can overlay the Google Play Store, presenting a phishing page in attempts to trick marks into handing over their credit card details. Another phishing template impersonates Gmail’s login page.
The revised Faketoken also tries to replace application shortcuts for social media networks, instant messengers and browsers with its own versions. The reason for this is unclear as the substitute icons lead to the same legitimate applications. It’s probable that malicious coders have done this in order to lay the groundwork for future developments.
The malware serves to underline why you should not blindly hand over permissions to mobile apps as well as the importance of backing up data.
More details about the threat evolution of Faketoken can be found in a post on Kaspersky Lab’s Securelist blog here.
Source: The Register UK
Thanks Softpedia, The Register and for reading Android Users Under Attack
This Site is Blocked By Some Browsers, WOT And Parental Controls Triggered By TERMS and TOPICS of Internet Crime; Child Porn, Pornography Addiction, Sexting, Sextortion, Sexual Harassment. Children as young as nine years old are Watching Porn and Sexting.
Use the POWER of Social Media SHARING to HELP INCREASE AWARENESS of these important topics for Parents, Friends and our Children