Active on Google Play Store as recently as last Friday, a mobile banking trojan infected thousands of users who thought they downloading games or innocent-looking apps, according to research published by a trio of cybersecurity firms.
The malware, known as BankBot, was concealed inside various flashlight and Solitaire apps, and was first detected by researchers on October 13th. After downloading an infected app, the trojan would activate and wait for users to log in to pre-selected banking apps, including those of Wells Fargo, Chase, CitiBank, and DiBa (ING). In some cases, bank transaction authentication numbers (TANs)—a form of multi-factor authentication employed by some banks—were intercepted in text messages.
Research into BankBot’s latest capabilities was conducted by employees at Czech cybersecurity firms Avast and ESET, and the Amsterdam-based SfyLabs, which focuses on Android-specific threats.
Although Play Protect scans the apps uploaded to Google’s app store against known malicious software, BankBot circumvented this defense by hosting its payload on a command & control server. After users downloaded one of the infected apps, such as “Tornado Flashlight,” the malware waited for two hours before downloading the payload. Phones that were not set to automatically accept files from unknown sources were prompted to accept the installation, Avast said.
The Android apps containing the malware were disguised to mislead users into believing it was a Google Play or system update requesting administrative privileges.
From there, BankBot quietly waited for users to log in to one of the aforementioned banking apps. Once the banking credentials were entered, they were immediately shared with the criminals who launched the malware campaign.
Certain banking apps send users security codes via text messages, which they have to enter into the app before accessing their accounts; however, this BankBot variant included a function that allowed it to intercept the texts and forward the codes to the attackers as well.
According to Avast, in addition to the US, BankBot struck users in Australia, Germany, the Netherlands, France, Poland, Spain, Portugal, Turkey, Greece, Russia, the Dominican Republic, Singapore, and the Philippines.
“The malware is not active in the Ukraine, Belarus and Russia,” Avast’s researchers wrote. “This is most likely to protect the cyber criminals from receiving unwanted attention from law enforcement authorities in these countries.”
There are several steps users can take in the future to avoid having their bank accounts emptied, chiefly among them: Make sure your phone only allows downloads from trusted sources. At least then you can vet untrusted apps on a case-by-case basis. (Check under “security” in your phone’s settings.)
I can’t recommend enough just not downloading flashlight apps. They have a terrible reputation for hosting malware and it doesn’t seem like that’s changing anytime soon. Just buy a flashlight. This one is $21 and it’ll even charge your now hopefully malware-free phone.