A mobile malware with a devastating impact has been spotted out in the wild, extracting login and financial credentials from infected users. The Trojan is detected as Android/Spy.Agent.Sl(Eset) and Trojan-Banker.AndroidOS.Agent.au(Kaspersky) and Android.SmsBot.539.origin(Dr.Web). Malware researchers from ESET have reported that it can be controlled remotely instead of being completely automatic, which may make it even more effective. The primary functions of the Trojan are to obtain OS device information, login credentials that are memorized and display various web-pages to the user. The Trojan also connects to remote networks. All users who are using online banking are immediately advised to restart their device and format it after which change all of their online banking passwords.
|Name||Android Banking Trojan|
|Type||Android Banking Trojan|
|Short Description||The trojan steals financial credentials and sends SMS from the compromised device.|
|Symptoms||The user may witness login pages of his bank to pop-up on his phone.|
|Distribution Method||Via fake Flash Player for Android.|
|User Experience||Join our forum to discuss Android Banking Trojan.|
Android Banking Trojan – How Is It Spread
This Trojan is reported to be redistributed via malicious URLs. Such URLs may be opened by the infected device as a result of having an adware program on it that automatically opens ads on the user’s phone. Sometimes, some users have even reported adverts on apps which have contained malware, such as the Android Banking Trojan. Here is an example of a spam bot in Facebook, linking to Android malware:
After tapping on the link, the user may see a message, stating that the Flash Player of his android device requires an update, after which he downloads the malware which appears to be a “newer” version of Flash Player. However, it has nothing to do with it, and instead it infects the user and connects to the cyber-criminals’ C&C(Command and Control) server.
Android Banking Trojan In Detail
Once activated, the Android Trojan may immediately start collecting the following information from the device:
- Android version.
- Security software is installed.
- Login credentials of apps.
The Banking Trojan even can display the so-called “phishing” pages – web pages that are identical to the login pages of the banking service the user is using which may claim the user has entered his password wrong. If the user types his username and password, the data may be sent to the cyber-criminals’ servers and the page may reload to the original one. So in case you have seen this symptom and you are positive you have entered your details correctly you should immediately check your phone for the Banking Trojan.
The cyber-criminals have even designed the Trojan to control SMS messages, enabling them to bypass two-factor authentication by sending messages from the user’s smartphone without his consent. Furthermore, researchers report that the Trojan has attacked customers who are using online banking services of over 20 major banks.
Remove Android Banking Trojan from Your Phone
In case you believe your phone has been infected with this or other phone malware, we advise you to immediately change all of the passwords of the accounts you are logging in through your phone. After this, we strongly advise you wipe your phone cleanly by following our instructions below.
If you want to be protected in the future, we also recommend rooting your phone. This will enable you to configure its settings so that you stop any advertisements or redirects in the future. As a bottom line, we also recommend using a powerful anti-malware protection for mobile devices.