Android Banking Trojan Masquerades As Flash Player, Circumvents 2FA

A newly found Android trojan is targeting customers of large banks in Australia, New Zealand and Turkey. The banking malware, flagged as Android/Spy.Agent.SI by ESET security firm, disguises itself as Flash Player and spreads via unofficial app stores. It can steal login credentials of users from 20 mobile banking apps, and can also mimic login screens of popular services such as PayPal, eBay, Skype, WhatsApp and several Google services. The Android trojan is able to intercept SMS communications, which in turn, allows it to circumvent the two-factor authentication.

Intercept SMS?

[cerberusss]

How can an app actually intercept SMS? Is this common on the Android platform, that apps can intercept that kind of deep system stuff?

Re:

[righteousness]

Any apps with the right permissions can read and edit SMS.

Re:

[Firethorn]

And, since you can't actually deny permissions in Android(without more work), and it seems that 'all apps' love having access to way more than they should, it's hard to find 'good' applications that might not be a trojan.

Re:

[Anonymous Coward]

You should try Android 6, where apps need to ask permission before they first use the feature (like on iOS). Earlier versions of Android were all or nothing, but recent versions have fine-grained control.

Re:

[castionsosa]

That is only if the app developer allows that in the manifest. Otherwise, the app falls back to the all or nothing permission model.

The best solution is XPrivacy/XPosed, but IIRC, that hasn't worked since Android 5 came out. Second best solution is either CyanogenMod, or if you can read Chinese and choose to trust the app, LBE Privacy Master.

Re:

[Anonymous Coward]

I was just looking at that on my new device running android 6 and that doesn't appear true. Either every application I have installed allows me to enable and disable permissions, or the OS just allows it. In fact, when I go to disable a permission it gives a warning saying "This app was designed for an older version of Android. Denying permission may cause it to no longer function as intended."

Clearly I can disallow permissions, it just might break the app and is in no way enforced by the manifest as you

Re:

[macs4all]

That is only if the app developer allows that in the manifest. Otherwise, the app falls back to the all or nothing permission model.

And, more importantly, only if your phone has Android 6 available, which the vast majority in actual use likely don't.

And don't go on and on about installing custom "ROMs", Cyanogen, etc. Only about 1% of Android users outside of Slashdot would even know how to do that, let alone figure out where to get a TRUSTWORTH custom "ROM", etc.

So yeah, good that Android is FINALLY getting something akin to iOS' Security Model; but in reality, it will be half-a-decade before all Android phones are running Android

Re:Intercept SMS?

[Chrisq]

This is one of my pet hates about android (and I'm generally a fan). A lot of apps ask for that permission but just for registration. Up until the latest version (and still on one of my phones) you had to accept this permission to register but then had no way to revoke it afterwards, so you had to hope for the lifetime of the app that it wasn't compromised and wouldn't start messaging premium-rate SMS services or forwarding your message.

Re:

[castionsosa]

XPrivacy does exactly this, but AFIAK, it doesn't work well with Android 5 or newer. There are a lot of applications which ask for everything. For example, the Cracked app used to demand access to the GPS, even though all it just did was be a shell for Web content.

Another app that fetches everything is Yik Yak. It goes through the phone to find any individual IDs it can, so it can permanently tie an "anonymous" ID to the phone and the person.

Location data isn't too hard to fake. Enable mock locations...

Re:

[Chrisq]

Where can I get this?

My thought exactly.... they had a lucky escape and only installed a banking trojan!

More Complete Pwnage

[mentil]

Devices have been 'pwned' before but it seems to be escalating, as malware used to just do 1 or 2 related malicious things (ad redirects/BHOs/ad banner replacements etc.).

I'm waiting for ransomware to hit mobile. "Oh you want to make phone calls? $20 to unlock that functionality. Browse the web? $20. Use apps? $20. Once you talk to your bank for 3 hours and get your money back, send the bitcoins to this address." It'll be cleverly priced at less than the cost of a replacement phone (maybe first determining

Re:

[Arnold Reinhold]

Scroll down two stories to read the usual Slashdot sneering about Apple products.

Re:

[macs4all]

I have a feeling Google tacitly allows Android's design to be pwnable, so that the Play store vetting is the only thing stopping your device from getting malware

If only that were true [grahamcluley.com]. But unfortunately, you have only a slightly better chance of actually getting a "clean", well-behaved App from the Play Store than you do from some random .ru site.

Re:

[Zero__Kelvin]

That isn't true. See also. [slashdot.org] . No need to reply ... Apology accepted.

Re:

[Zero__Kelvin]

"2FA is always defined as "something you know" + "something you have"."

FTFY

Re:

[Zero__Kelvin]

Ladies and gentleman ... The above is a classic example of someone who either has no idea what they are talking about, or someone who is intentionally spreading misinformation. Rest assured that "SMS + Password" is indeed 2 factor authentication, regardless of which system is used to enter the password / secret.

The AC seems to think that physical possession of the smartphone somehow magically conveys the other factor (the password.) Clearly it doesn't.* The first factor is the possession of the phone (s

Re:

[Zero__Kelvin]

You are an idiot who doesn't have any idea what he is talking about. That would be bad enough on its own, but I just got done explaining to you why you are a clueless idiot. The fact that you can't figure it out even after it has been explained to you is pathetic. Let me try to explain it to you again. Dear moron: The phone is something you have. The password is something you know. When taken as an aggregate that's two factor auth. Period. Your belief that it matters haw the second factor was commun

How is this a security issue?

[tetraverse]

"Android trojan .. disguises itself as Flash Player and spreads via unofficial app stores"

It would be a real story if this Android 'banking trojan silently installed itself without the end user taking action. This kind of non-story belongs over on the Microsoft Register [theregister.co.uk].

Mod Parent Up.

[mjwx]

"Android trojan .. disguises itself as Flash Player and spreads via unofficial app stores"

It would be a real story if this Android 'banking trojan silently installed itself without the end user taking action. This kind of non-story belongs over on the Microsoft Register [theregister.co.uk].

This is the Iphone defence.

Yep, this is exactly the excuse that Iphone users use to dismiss security issues bought on by jail breaking and Cydia.

Getting the user to install malicious software has always been and will always remain the most effective way of spreading it. Doesn't matter what the platform is and in the end, there is only so much you can do to protect stupid people from themselves.

But...

[OpenSourced]

Does it play Flash or not?

No Flash

[DrYak]

Actually *NOT* playing flash (even more so flash ads) would be a *positive* feature.
Almost redeeming its trojan-ness.

Caveat emptor

[wildstoo]

"spreads via unofficial app stores"

So... if you use the official Play store you're not going to be exposed to this?

What exactly are the benefits of using an "unofficial app store"? Pirated apps? Apps the Play store won't carry? Because all I've seen about the "unofficial" ones is they seem to be a major source of malware.

Re:

[macs4all]

The only exceptions I would make are the Amazon app store and F-Droid.

Seriously, I can't see the need for ANY "exceptions" whatsoever.

Think about it: With the pretty much lassez-faire attitude that Google has about "Acceptability" for Apps in the Play Store, why oh why would ANY legit Android Developer NOT want the raw number of potential sales that comes with having your App listed on the "One Stop Shopping, and Approved, 'Safe' " Google Play Store?

So, IMHO, the fact that an App is NOT listed on Google Play should be the #1 Red Flag that something isn't exactly what it s

Re:

[themusicgod1]

> And as long as we keep keeping private stuff and do private stuff (like banking) on our mobile devices (regardless of platform) If you do not have the source code, you cannot verify that your financial transactions is actually between you and your blockchain. Banking, or anything else, that is not done on an entirely free software stack is simply not safe, post 2013. No one should use Google Play for anything. The Snowden documents have shown that the NSA has been able to coopt it to get users to i

Re:

[macs4all]

What exactly are the benefits of using an "unofficial app store"? Pirated apps? Apps the Play store won't carry? Because all I've seen about the "unofficial" ones is they seem to be a major source of malware.

In all seriousness, and without a hint of Trolling, the main "advantage", AFAICT, is that it makes you feel superior to users of iOS, because only you have true "freedom".

Unfortunately, like in life, with "freedom" comes responsibility; and up until just recently, Android really didn't give users a fighting chance when it came to its Permissions model.

In fact, the very combination of "Sideloading" (or lack of Walled-Garden-ness) and Android's clearly pathetic "all-or-nothing" Permissions Model (who the

Re:

[tlhIngan]

What exactly are the benefits of using an "unofficial app store"? Pirated apps? Apps the Play store won't carry? Because all I've seen about the "unofficial" ones is they seem to be a major source of malware.

Other than sticking your tongue out at iOS users, there are a couple of stores that are good.

I have the Amazon app store, which is nice since Amazon loves to give away paid apps for free - through their daily giveaways as well massive monthly giveaways and even their new one where the more you use it, t

I'm still not clear!

[EzInKy]

Why are those that we trust with our finances allowing funds to be transferred without live, in person, face to face interaction? It's not like none of us could go to the local branch verifying our identity right? Money is all about trust after all.

In conclusion

[Swampash]

Android

Re:

[macs4all]

The price of free choice is that some people will choose poorly. The price of restricted choice is that sometimes Apple will choose poorly on our behalf.

The problem with "choosing poorly" is that it isn't just "some people"; it is the VAST MAJORITY of people, that have better things to do with their lives than learn the ramifications of clicking "Allow".

Yes, the price of freedom is eternal vigilance; but in this particular case, you can get pwned even if you are extremely vigilant.

Uh...flash player? Really?

[evolutionary]

Yet another reason why Adobe Flash should die a much faster death.

Not two-factor

[DriveDog]

It's not really two-factor if one of them comes from the same machine being used for access.

Re:

[Zero__Kelvin]

No. Just NO [slashdot.org]. Please stop spreading misinformation. Thanks.

That's funny

[JustAnotherOldGuy]

"The banking malware ... disguises itself as Flash Player..."

That's funny, usually it's the other way around.