Remote-controlled Android malware stealing banking credentials

Remote-controlled Android malware stealing banking credentials

Summary: The malicious Android application targets specific well-known financial entities posing as a Token Generator application.


Security researchers at McAfee have discovered a malicious Android application capable of grabbing banking passwords from a mobile device without infecting the user's computer.

The latest piece of Android Malware, dubbed FakeToken, contains man-in-the-middle functionality to hijack two-factor authentication tokens and can be remotely controlled to grab the initial banking password directly from the infected mobile device.

[ SEE: Ten little things to secure your online presence ]

McAfee's Carlos Castillo explains:

follow Ryan Naraine on twitter

The malicious application targets specific well-known financial entities posing as a Token Generator application. In fact, when the application is installed, the malware uses the logo and colors of the bank in the icon of the application, making it appear more credible to the user:

When the application executes, it shows a WebView component that displays an HTML/JavaScript web page that pretends to be a Token Generator. The web page also appears to be from the targeted bank (same variant of the malware but with different payload).

To get the fake token, Castillo discovered that the user must enter the first factor of authentication (used to obtain initial access to the banking account). If this action is not performed, the application shows an error.

"When the user clicks “Generar” (Generate), the malware shows the fake token (which is in fact a random number) and sends the password to a specific cell phone number along with the device identifiers (IMEI and IMSI). The same information is also sent to one of the control servers along with further data such as the phone number of the device. The malware finds the list of control servers from an XML file inside the original APK," he added.

He said the malware also contains commands to update itself or spy on the infected machine.

Castillo found that the FakeToken app can also hijack the list of contacts stored in the device (name and number)

Android malware that targets financial entities is in constant evolution: From man-in-the-middle attacks we now see more sophisticated, remote-controlled banking Trojans that can get more than one factor of authentication and update itself to, for example, modify a phishing attack to get other required credentials–such as the name or the ID number of the user–to perform electronic fraud. Due to the increasing popularity of Android and mobile-banking applications, we expect that more threats like this will appear.

Topics: Malware, Android, Google, Security, Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This app isn't available yet on iPhone ...

    ... Android is always one step ahead.
  • Ryan. Do Your Research. Just like with Microsoft. Be thorough.

    You have shown a keen 'bias' and unprofessionalism when you don't thoroughly research a topic.

    Nowhere is there any confirmation for the 'source' of these Apps. My suspicion is that they do not exist in the Android Market Place (name has changed).

    The standard 'caveat' for using Linux is to avoid side-loading Apps from outside a 'designated' repository, in this case Android Market.

    Tempt fate otherwise.
    Dietrich T. Schmitz *Your
    • bonks of malware have been found in Google's android Market

      I didn't check where this current malware is located but malware has blosoomed over and over at the 'designated' repository:

      "Malware might have infected more than 5 million Android mobile devices via deliberately corrupted apps sold in the Android Marketplace, according to security firm Symantec. They reckoned Android.Counterclank, a slight variant of Android.Tonclank."
      • bonks of malware have been found in Google's android Market

        Is this a surprise to anyone? You want less problem's run Windows Phone and IOS. You want a fresh and inviting new experience try Windows Phone. Fast, Efficient and USER FRIENDLY! The Nokia offerings look great and the Lumia 900 is just around the corner. Not to mention Windows 8 and WP Devs are going to have a hey-day with Code that can be ported with ease.
    • Dietrich

      How do you explain away the many, many malware-laden apps Google had to pull from it's own Android App Market (or Play Market now?)? Those were in fact verified and removed by Google - no need to enable outside sources for those.

      It would be nice to have the source of these particular apps verified but past history has shown that one can tempt fate just by downloading an app from Google's App Market.
      • My point is completeness and accuracy in reporting.

        What is your response to my point? What is the source of these apps?
        Dietrich T. Schmitz *Your
    • Linux is swiss cheese

      To coin a phrase from the Windows era.

      Really, Linux isn't but the user and the apps can be. Same problem Windows has faced with much heated contention that Linux is better, well it isn't it's the same.

      Marketplace dominance shows this same trend for Linux based devices as Windows based systems.
    • But won't the Linux Security Module magically fix sideloading problems

      no? Odd. we hear about LSM all the time whenever there is an issue with third party Microsoft apps.
      Your Non Advocate
  • Shopping iOS is like a Designer Store, Android is like a third world Bazaar

    Shopping iOS is like shopping in a posh designer store where they've vetted the products and secured the premises, shopping for Android is like a third world Bazaar: beware of fakes and stepping in buffalo dung.
    • How soon they forget ...

      All those iPhone apps that stole users contact information. Those apps were, and are, malware.

      Apple's iPhone app store and iOS have plenty of room for improvement.
      Rabid Howler Monkey
      • ah but do you see the BIG FAT difference?

        people violated apple's rules, got into trouble, Path the contact info stuff's app CEO was called in and personally grilled by Tim Cook. Path was a clumsy attempt to build a social network which is somewhat different from stealing your bank passwords like the above. Also plenty of Android apps do the same thing.

        (and we have to mention that Google was one of the people who hacked into iOs via Safari cookie exploit. so which is worse the guy who puts security up or the guy or hires top notch hackers to break into it and violate customers?)

        Like I said a high end store: sometimes malicious crooks can get in throught the security but at least protection protocols are in place and were in place from the start ..

        for the BAZAAR on the other hand .. its OPEN
        for years google didn't even vet apps allowing tens of thousands of malware downloads (shoot Google wasn't even AWARE of malicious apps until informed by outsiders after thousands of copies downloaded it was in their Market, wasn't aware or didn't care) , it still doesn't really vet apps but now it uses a 'bouncer' software which some say doesn't even work well.

        NOTICE Google is backtracking from it's previous open position (and once again copying Apple) in putting checks in place.

        For YEARS apple haters had claimed HOW HORRIBLE and EVIL apple was in MISTREATING DEVELOPERS and not allowing customers to GET ANY APP WITHOUT CHECKS, the terrible HADES of the WALLED GARDEN ... now the SAME HATERS are saying Google is so smart installing (clumsy) checks (years late) following Apple's carefully thought out and ahead of the rest idea of vetting apps!

        maybe Eric Schmidt had already been booted out of Apple's board and didn't get to hear the reasons for the 'walled garden' and copy it like Android.

      • Android of IOS does not matter when social engineering is required.

        Wether on iphone or android, malware usual requires social engineering to be deployed. The solution, don't download apps that seem too good to be true. Ensure all apps are legit before download.

        Being more carefull and aware of your phone.
      • world class hack into iOS?


        Seriously? That's freakin' hilarious. It was a well know cookie exploit for over a decade effectively present on all major browsers(except maybe incognito on chrome). It was in fact a "hack" which is to say a quick clever work around to restore functionality to broken code. It would be nice if the code were redesigned and rewritten to work in the first place, but accusing Google, Facebook, and dozens of others of malicious intent is a stretch.
      • Different business goals

        Apple want to sell you a device. Google wants your data. Simple as that.

        "Don't be evil" == "Don't shoot us for stealing from you"
  • I'm shocked, shocked I tell you, to hear that android lets apps steal

    banking info. Android must know that sending users banking info to unknown places without permission is actually good for it's users and the people getting it are probably big google fans.
    Johnny Vegas
  • Yes but

    Did anyone else come here because of the hilarious Android-cowboy picture? I know I did
  • I use a Windows 7 Phone

    Don't have to worry about these things.
    • Me too

    • A W7 phone...

      ...what's that???
    • Ya, what was it the Apple guy used to say in the 'I'm a Mac' commercials...

      ...something about Macs not getting Windows viruses or something like that?

      Well, Windows phone users do not get Android or iOS viruses.

      And hey, remember Windows users, when a Windows phone, if ever does get a nasty bit of malware, learn from the Mac lovers; make sure you use a definition of virus that will restrict the bit of malware from being classified as a virus. History has shown that according to Mac users a worm, Trojan or any other bit of malware is so much better than a virus. Because Macs don't get viruses. I guess if they did than viruses wouldn't be so bad either.