Christmas is coming! Unfortunately, in the realms of malware and cyber fraud, the coming of winter holidays bears a tinge of bitterness. It’s that time of the year when cybercriminal activity hits the ceiling. That being said, it should come to no one’s surprise that Locky ransomware is revived once again, in a brand new campaign which could easily be followed by more activities on behalf of Locky’s operators.
Besides ransomware, Android users should be extra alert since winter appears to be the most favorite time for banking malware. Christmas may be a month away, but we’re already seeing an uptick in Android campaigns targeting famous banks. Fortinet researchers already disclosed one such campaign that is targeting 15 different mobile banking apps for German banks. It is entirely possible that additional banks or other organizations could be added in future releases of this malware, researchers write.
This banking malware is designed to steal login credentials from 15 different mobile banking apps for German banks. It also has the ability to resist anti-virus mobile apps, as well as hinder 30 different anti-virus programs and prevent them from launching.
How is the malware installed on an Android device?
Apparently, the malware poses as an email app. Once it is installed, an icon will appear in the launcher. This is how it looks:
After the installation of the malicious app, device admin rights are granted. When the user launches a targeted banking app, the malware sends a request via HTTPS to its command and control server for the payload. The C&C server responds with a fake customized login page. The malicious app displays a crafted login screen overlay on top of the legitimate app. This is indeed how the malicious app collects the entered banking credentials. In addition, the cyber criminals have created a different login screen for each of the targeted banks.
The malware is also designed to conceal the icon from the launcher. That is why victims may believe that they have failed to install the app. While in the background, however, the malware will try to prevent about 30 different mobile anti-virus apps from launching. The malware will also
- Collect data about the device;
- Collect the installed app lost;
- Send everything to the C&C server;
- Wait for further instructions.
According to Fortinet researchers, the malware can intercept SMS messages, send out mass text messages, update the targeted app list, and set a new password for the device. The malware could also be capable of further malicious activities.
One thing the malware is not yet capable of is stealing credit card data, but this could also be added to its set of skills.
How can victims remove the malicious app?
Affected users should first disable the malware’s device admin rights. This is done in Settings -> Security -> Device administrators -> Device Admin -> Deactivate. Victims should then uninstall the malware with the help of Android Debug Bridge via using ‘adb uninstall [packagename]’.