Android Banking Trojan Masquerades As Flash Player, Circumvents 2FA 51
A newly found Android trojan is targeting customers of large banks in Australia, New Zealand and Turkey. The banking malware, flagged as Android/Spy.Agent.SI by ESET security firm, disguises itself as Flash Player and spreads via unofficial app stores. It can steal login credentials of users from 20 mobile banking apps, and can also mimic login screens of popular services such as PayPal, eBay, Skype, WhatsApp and several Google services. The Android trojan is able to intercept SMS communications, which in turn, allows it to circumvent the two-factor authentication.
Intercept SMS? (Score:2)
How can an app actually intercept SMS? Is this common on the Android platform, that apps can intercept that kind of deep system stuff?
Re: (Score:1)
Re: (Score:2)
And, since you can't actually deny permissions in Android(without more work), and it seems that 'all apps' love having access to way more than they should, it's hard to find 'good' applications that might not be a trojan.
Re: (Score:1)
You should try Android 6, where apps need to ask permission before they first use the feature (like on iOS). Earlier versions of Android were all or nothing, but recent versions have fine-grained control.
Re: (Score:3)
That is only if the app developer allows that in the manifest. Otherwise, the app falls back to the all or nothing permission model.
The best solution is XPrivacy/XPosed, but IIRC, that hasn't worked since Android 5 came out. Second best solution is either CyanogenMod, or if you can read Chinese and choose to trust the app, LBE Privacy Master.
Re: (Score:1)
I was just looking at that on my new device running android 6 and that doesn't appear true. Either every application I have installed allows me to enable and disable permissions, or the OS just allows it. In fact, when I go to disable a permission it gives a warning saying "This app was designed for an older version of Android. Denying permission may cause it to no longer function as intended."
Clearly I can disallow permissions, it just might break the app and is in no way enforced by the manifest as you
Re: (Score:1)
That is only if the app developer allows that in the manifest. Otherwise, the app falls back to the all or nothing permission model.
And, more importantly, only if your phone has Android 6 available, which the vast majority in actual use likely don't.
And don't go on and on about installing custom "ROMs", Cyanogen, etc. Only about 1% of Android users outside of Slashdot would even know how to do that, let alone figure out where to get a TRUSTWORTH custom "ROM", etc.
So yeah, good that Android is FINALLY getting something akin to iOS' Security Model; but in reality, it will be half-a-decade before all Android phones are running Android
Re:Intercept SMS? (Score:4, Insightful)
Re: (Score:2)
XPrivacy does exactly this, but AFIAK, it doesn't work well with Android 5 or newer. There are a lot of applications which ask for everything. For example, the Cracked app used to demand access to the GPS, even though all it just did was be a shell for Web content.
Another app that fetches everything is Yik Yak. It goes through the phone to find any individual IDs it can, so it can permanently tie an "anonymous" ID to the phone and the person.
Location data isn't too hard to fake. Enable mock locations...
Re: (Score:2)
Where can I get this?
My thought exactly.... they had a lucky escape and only installed a banking trojan!
More Complete Pwnage (Score:2)
Devices have been 'pwned' before but it seems to be escalating, as malware used to just do 1 or 2 related malicious things (ad redirects/BHOs/ad banner replacements etc.).
I'm waiting for ransomware to hit mobile. "Oh you want to make phone calls? $20 to unlock that functionality. Browse the web? $20. Use apps? $20. Once you talk to your bank for 3 hours and get your money back, send the bitcoins to this address." It'll be cleverly priced at less than the cost of a replacement phone (maybe first determining
Re: (Score:3)
Re: (Score:1)
I have a feeling Google tacitly allows Android's design to be pwnable, so that the Play store vetting is the only thing stopping your device from getting malware
If only that were true [grahamcluley.com]. But unfortunately, you have only a slightly better chance of actually getting a "clean", well-behaved App from the Play Store than you do from some random .ru site.
Re: (Score:2)
Re: (Score:2)
FTFY
Re: (Score:2)
The AC seems to think that physical possession of the smartphone somehow magically conveys the other factor (the password.) Clearly it doesn't.* The first factor is the possession of the phone (s
Re: (Score:2)
How is this a security issue? (Score:1)
It would be a real story if this Android 'banking trojan silently installed itself without the end user taking action. This kind of non-story belongs over on the Microsoft Register [theregister.co.uk].
Mod Parent Up. (Score:2)
"Android trojan .. disguises itself as Flash Player and spreads via unofficial app stores"
It would be a real story if this Android 'banking trojan silently installed itself without the end user taking action. This kind of non-story belongs over on the Microsoft Register [theregister.co.uk].
This is the Iphone defence.
Yep, this is exactly the excuse that Iphone users use to dismiss security issues bought on by jail breaking and Cydia.
Getting the user to install malicious software has always been and will always remain the most effective way of spreading it. Doesn't matter what the platform is and in the end, there is only so much you can do to protect stupid people from themselves.
But... (Score:2)
Does it play Flash or not?
No Flash (Score:4, Funny)
Actually *NOT* playing flash (even more so flash ads) would be a *positive* feature.
Almost redeeming its trojan-ness.
Caveat emptor (Score:2)
"spreads via unofficial app stores"
So... if you use the official Play store you're not going to be exposed to this?
What exactly are the benefits of using an "unofficial app store"? Pirated apps? Apps the Play store won't carry? Because all I've seen about the "unofficial" ones is they seem to be a major source of malware.
Re: (Score:1)
The only exceptions I would make are the Amazon app store and F-Droid.
Seriously, I can't see the need for ANY "exceptions" whatsoever.
Think about it: With the pretty much lassez-faire attitude that Google has about "Acceptability" for Apps in the Play Store, why oh why would ANY legit Android Developer NOT want the raw number of potential sales that comes with having your App listed on the "One Stop Shopping, and Approved, 'Safe' " Google Play Store?
So, IMHO, the fact that an App is NOT listed on Google Play should be the #1 Red Flag that something isn't exactly what it s
Re: (Score:1)
Re: (Score:1)
What exactly are the benefits of using an "unofficial app store"? Pirated apps? Apps the Play store won't carry? Because all I've seen about the "unofficial" ones is they seem to be a major source of malware.
In all seriousness, and without a hint of Trolling, the main "advantage", AFAICT, is that it makes you feel superior to users of iOS, because only you have true "freedom".
Unfortunately, like in life, with "freedom" comes responsibility; and up until just recently, Android really didn't give users a fighting chance when it came to its Permissions model.
In fact, the very combination of "Sideloading" (or lack of Walled-Garden-ness) and Android's clearly pathetic "all-or-nothing" Permissions Model (who the
Re: (Score:2)
Other than sticking your tongue out at iOS users, there are a couple of stores that are good.
I have the Amazon app store, which is nice since Amazon loves to give away paid apps for free - through their daily giveaways as well massive monthly giveaways and even their new one where the more you use it, t
I'm still not clear! (Score:1)
Why are those that we trust with our finances allowing funds to be transferred without live, in person, face to face interaction? It's not like none of us could go to the local branch verifying our identity right? Money is all about trust after all.
In conclusion (Score:2, Informative)
Android
Re: (Score:1)
The price of free choice is that some people will choose poorly. The price of restricted choice is that sometimes Apple will choose poorly on our behalf.
The problem with "choosing poorly" is that it isn't just "some people"; it is the VAST MAJORITY of people, that have better things to do with their lives than learn the ramifications of clicking "Allow".
Yes, the price of freedom is eternal vigilance; but in this particular case, you can get pwned even if you are extremely vigilant.
Uh...flash player? Really? (Score:2)
Not two-factor (Score:2)
Re: (Score:2)
That's funny (Score:3)
"The banking malware ... disguises itself as Flash Player..."
That's funny, usually it's the other way around.