Security firm Fortinet recently posted about a nasty little piece of banking malware that I feel hasn’t gotten enough press. It’s more than banking malware, as it nabs creds not just from institutions like Wells Fargo, but also paypal and Coinbase (just to name a few).
Like many of us, the first thing I did was to read the list of banking apps to see if my bank was in the list of those affected (it is), and then to check to see if my phone is infected (it isn’t, phew), and then to see what the mitigation steps are. Fortunately, the fix is easy for non-technical people, so it’s easy to tell our friends and family members about.
Fortinet’s post doesn’t have the most camera-ready title, but it explains everything up front: Android banking malware masquerades as Flash Player, targeting large banks and popular social media apps.
Active users of mobile banking apps should be aware of a new android banking malware campaigntargeting customers of large banks in the united States, Germany, France, Australia, Turkey, Poland, and Austria.
This banking malware can steal login credentials from 94 different mobile banking apps. Due to its ability to intercept SMS communications, the malware is also able to bypass SMS-based two-factor authentication. Additionally, it also contains modules to target some popular social media apps.
The SMS spoofing allows it to bypass 2-factor.
It’s rather basic, but clever. It comes in looking like a flash Player app, making it look like it belongs there. When a user launches the fake Flash Player, “the user is tricked into granting device administrator rights to the app through a fake google Play Service.” attackers are able to con users into activating the malware via a bogus Google Play service screen that is actually a screen overlay.” After that, the Flash Player icon disappears from your app list and the malware runs in the background.
Once the “Flash Player” malware is loaded and active, click on any of those apps and the user is presented with a native-looking screen that requires credit card info before proceeding. It snatches that info and sends it to the C&C server.
It also can perform a factory reset on the infected phone. That’s a data loss nightmare for many people, especially as phones are increasingly used instead of computers, especially by people who can’t afford both a phone and their own home computer.
Financial institutions whose apps are affected include all the biggies: Amex, Chase, Citi Bank, Coinbase, Bank of the West, Deutsche Bank, PayPal, Santander, Wells Fargo, USAA, and many more. It looks to me like it may also snatch creds from any app built with ecommerce Mobile.
First, the user can disable the device administrator rights in Settings -> Security -> Device administrators -> Google Play Service -> Deactivate and then uninstall the fake ‘Flash Player’ via Settings -> Apps -> Flash-Player-update -> Uninstall. This method is simple.
Second, some tricks can be used to disable the device administrator rights. The malware repeatedly creates a screen overlay to request device administrator rights via faking the Google play service after the user rejects the request for device administrator rights. Because the screen overlay always displays on top of all other screens, the user cannot access Settings -> Apps -> Flash-Player-update -> Uninstall. In this case, the user can uninstall the malware via ADB (Android Debug Bridge) by using the command ‘adb uninstall [packagename]’.
Change your banking and financial app passwords, as well as those on the social apps targeted by the malware. Go an extra third step and contact your credit card company (for any cards mistakenly entered into the phone when it was infected). Have those cards canceled and reissued.
Spread the word, this is an active attack.