More than 2,000 mobile banking users in Brazil have unknowingly downloaded an Android-based malware that controlled devices and stole their confidential data.
According to virus specialists Doctor Web, cybercriminals were distributing the Android.BankBot.495.origin trojan on Google Play under the guise of applications that supposedly allowed WhatsApp monitoring of Android-based devices.
When launched, the malware would attempt to gain access to Android accessibility features, which would in turn allow continue operating in the background, tap buttons and steal contents of active application windows.
The security analysts looked into the malware behavior in some of Brazil's largest banks. In one example cited in the report, when interacting with Bradesco, the country's second-largest private bank, the trojan would read the victim's account information and automatically attempt logging in by entering the PIN code received from the command and control server.
The trojan Android.BankBot.495.origin would then get access to users' account balances along with other private banking data, then transfer it to cybercriminals.
Contacted by ZDNet, Bradesco said the transactional environment of the bank is safe and that operations can only be carried out through a mobile token.
As well as banks, the analysts point out that the Android-based malware is also used to perform phishing attacks in other applications, including Uber, Netflix and Twitter.
Once launched, the trojan displays an overlay window with a fraudulent web page simulating the attacked app, loaded from the second command and control server. This then leads users to enter then confidential data.