Remote-controlled Android malware stealing banking credentials
Summary: The malicious Android application targets specific well-known financial entities posing as a Token Generator application.
Security researchers at McAfee have discovered a malicious Android application capable of grabbing banking passwords from a mobile device without infecting the user's computer.
The latest piece of Android Malware, dubbed FakeToken, contains man-in-the-middle functionality to hijack two-factor authentication tokens and can be remotely controlled to grab the initial banking password directly from the infected mobile device.
[ SEE: Ten little things to secure your online presence ]
McAfee's Carlos Castillo explains:
The malicious application targets specific well-known financial entities posing as a Token Generator application. In fact, when the application is installed, the malware uses the logo and colors of the bank in the icon of the application, making it appear more credible to the user:
When the application executes, it shows a WebView component that displays an HTML/JavaScript web page that pretends to be a Token Generator. The web page also appears to be from the targeted bank (same variant of the malware but with different payload).
To get the fake token, Castillo discovered that the user must enter the first factor of authentication (used to obtain initial access to the banking account). If this action is not performed, the application shows an error.
"When the user clicks “Generar” (Generate), the malware shows the fake token (which is in fact a random number) and sends the password to a specific cell phone number along with the device identifiers (IMEI and IMSI). The same information is also sent to one of the control servers along with further data such as the phone number of the device. The malware finds the list of control servers from an XML file inside the original APK," he added.
He said the malware also contains commands to update itself or spy on the infected machine.
Castillo found that the FakeToken app can also hijack the list of contacts stored in the device (name and number)
Android malware that targets financial entities is in constant evolution: From man-in-the-middle attacks we now see more sophisticated, remote-controlled banking Trojans that can get more than one factor of authentication and update itself to, for example, modify a phishing attack to get other required credentials–such as the name or the ID number of the user–to perform electronic fraud. Due to the increasing popularity of Android and mobile-banking applications, we expect that more threats like this will appear.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
This app isn't available yet on iPhone ...
Ryan. Do Your Research. Just like with Microsoft. Be thorough.
Nowhere is there any confirmation for the 'source' of these Apps. My suspicion is that they do not exist in the Android Market Place (name has changed).
The standard 'caveat' for using Linux is to avoid side-loading Apps from outside a 'designated' repository, in this case Android Market.
Tempt fate otherwise.
bonks of malware have been found in Google's android Market
eg:
"Malware might have infected more than 5 million Android mobile devices via deliberately corrupted apps sold in the Android Marketplace, according to security firm Symantec. They reckoned Android.Counterclank, a slight variant of Android.Tonclank."
http://thehackernews.com/2012/01/another-malware-from-android-market.html
bonks of malware have been found in Google's android Market
Dietrich
It would be nice to have the source of these particular apps verified but past history has shown that one can tempt fate just by downloading an app from Google's App Market.
My point is completeness and accuracy in reporting.
Linux is swiss cheese
Really, Linux isn't but the user and the apps can be. Same problem Windows has faced with much heated contention that Linux is better, well it isn't it's the same.
Marketplace dominance shows this same trend for Linux based devices as Windows based systems.
But won't the Linux Security Module magically fix sideloading problems
Shopping iOS is like a Designer Store, Android is like a third world Bazaar
How soon they forget ...
Apple's iPhone app store and iOS have plenty of room for improvement.
ah but do you see the BIG FAT difference?
(and we have to mention that Google was one of the people who hacked into iOs via Safari cookie exploit. so which is worse the guy who puts security up or the guy or hires top notch hackers to break into it and violate customers?)
Like I said a high end store: sometimes malicious crooks can get in throught the security but at least protection protocols are in place and were in place from the start ..
for the BAZAAR on the other hand .. its OPEN
for years google didn't even vet apps allowing tens of thousands of malware downloads (shoot Google wasn't even AWARE of malicious apps until informed by outsiders after thousands of copies downloaded it was in their Market, wasn't aware or didn't care) , it still doesn't really vet apps but now it uses a 'bouncer' software which some say doesn't even work well.
NOTICE Google is backtracking from it's previous open position (and once again copying Apple) in putting checks in place.
For YEARS apple haters had claimed HOW HORRIBLE and EVIL apple was in MISTREATING DEVELOPERS and not allowing customers to GET ANY APP WITHOUT CHECKS, the terrible HADES of the WALLED GARDEN ... now the SAME HATERS are saying Google is so smart installing (clumsy) checks (years late) following Apple's carefully thought out and ahead of the rest idea of vetting apps!
maybe Eric Schmidt had already been booted out of Apple's board and didn't get to hear the reasons for the 'walled garden' and copy it like Android.
lol.
Android of IOS does not matter when social engineering is required.
Being more carefull and aware of your phone.
world class hack into iOS?
Seriously? That's freakin' hilarious. It was a well know cookie exploit for over a decade effectively present on all major browsers(except maybe incognito on chrome). It was in fact a "hack" which is to say a quick clever work around to restore functionality to broken code. It would be nice if the code were redesigned and rewritten to work in the first place, but accusing Google, Facebook, and dozens of others of malicious intent is a stretch.
Different business goals
"Don't be evil" == "Don't shoot us for stealing from you"
I'm shocked, shocked I tell you, to hear that android lets apps steal
Yes but
I use a Windows 7 Phone
Me too
A W7 phone...
Ya, what was it the Apple guy used to say in the 'I'm a Mac' commercials...
Well, Windows phone users do not get Android or iOS viruses.
And hey, remember Windows users, when a Windows phone, if ever does get a nasty bit of malware, learn from the Mac lovers; make sure you use a definition of virus that will restrict the bit of malware from being classified as a virus. History has shown that according to Mac users a worm, Trojan or any other bit of malware is so much better than a virus. Because Macs don't get viruses. I guess if they did than viruses wouldn't be so bad either.