Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security Android Google Technology

Android Banking Trojan Masquerades As Flash Player, Circumvents 2FA 51

A newly found Android trojan is targeting customers of large banks in Australia, New Zealand and Turkey. The banking malware, flagged as Android/Spy.Agent.SI by ESET security firm, disguises itself as Flash Player and spreads via unofficial app stores. It can steal login credentials of users from 20 mobile banking apps, and can also mimic login screens of popular services such as PayPal, eBay, Skype, WhatsApp and several Google services. The Android trojan is able to intercept SMS communications, which in turn, allows it to circumvent the two-factor authentication.
This discussion has been archived. No new comments can be posted.

Android Banking Trojan Masquerades As Flash Player, Circumvents 2FA

Comments Filter:
  • How can an app actually intercept SMS? Is this common on the Android platform, that apps can intercept that kind of deep system stuff?

    • Any apps with the right permissions can read and edit SMS.
      • And, since you can't actually deny permissions in Android(without more work), and it seems that 'all apps' love having access to way more than they should, it's hard to find 'good' applications that might not be a trojan.

        • by Anonymous Coward

          You should try Android 6, where apps need to ask permission before they first use the feature (like on iOS). Earlier versions of Android were all or nothing, but recent versions have fine-grained control.

          • That is only if the app developer allows that in the manifest. Otherwise, the app falls back to the all or nothing permission model.

            The best solution is XPrivacy/XPosed, but IIRC, that hasn't worked since Android 5 came out. Second best solution is either CyanogenMod, or if you can read Chinese and choose to trust the app, LBE Privacy Master.

            • by Anonymous Coward

              I was just looking at that on my new device running android 6 and that doesn't appear true. Either every application I have installed allows me to enable and disable permissions, or the OS just allows it. In fact, when I go to disable a permission it gives a warning saying "This app was designed for an older version of Android. Denying permission may cause it to no longer function as intended."

              Clearly I can disallow permissions, it just might break the app and is in no way enforced by the manifest as you

            • That is only if the app developer allows that in the manifest. Otherwise, the app falls back to the all or nothing permission model.

              And, more importantly, only if your phone has Android 6 available, which the vast majority in actual use likely don't.

              And don't go on and on about installing custom "ROMs", Cyanogen, etc. Only about 1% of Android users outside of Slashdot would even know how to do that, let alone figure out where to get a TRUSTWORTH custom "ROM", etc.

              So yeah, good that Android is FINALLY getting something akin to iOS' Security Model; but in reality, it will be half-a-decade before all Android phones are running Android

      • Re:Intercept SMS? (Score:4, Insightful)

        by Chrisq ( 894406 ) on Friday March 11, 2016 @05:39AM (#51676353)
        This is one of my pet hates about android (and I'm generally a fan). A lot of apps ask for that permission but just for registration. Up until the latest version (and still on one of my phones) you had to accept this permission to register but then had no way to revoke it afterwards, so you had to hope for the lifetime of the app that it wasn't compromised and wouldn't start messaging premium-rate SMS services or forwarding your message.
  • Devices have been 'pwned' before but it seems to be escalating, as malware used to just do 1 or 2 related malicious things (ad redirects/BHOs/ad banner replacements etc.).

    I'm waiting for ransomware to hit mobile. "Oh you want to make phone calls? $20 to unlock that functionality. Browse the web? $20. Use apps? $20. Once you talk to your bank for 3 hours and get your money back, send the bitcoins to this address." It'll be cleverly priced at less than the cost of a replacement phone (maybe first determining

    • Scroll down two stories to read the usual Slashdot sneering about Apple products.
    • I have a feeling Google tacitly allows Android's design to be pwnable, so that the Play store vetting is the only thing stopping your device from getting malware

      If only that were true [grahamcluley.com]. But unfortunately, you have only a slightly better chance of actually getting a "clean", well-behaved App from the Play Store than you do from some random .ru site.

  • "Android trojan .. disguises itself as Flash Player and spreads via unofficial app stores"

    It would be a real story if this Android 'banking trojan silently installed itself without the end user taking action. This kind of non-story belongs over on the Microsoft Register [theregister.co.uk].
    • "Android trojan .. disguises itself as Flash Player and spreads via unofficial app stores"

      It would be a real story if this Android 'banking trojan silently installed itself without the end user taking action. This kind of non-story belongs over on the Microsoft Register [theregister.co.uk].

      This is the Iphone defence.

      Yep, this is exactly the excuse that Iphone users use to dismiss security issues bought on by jail breaking and Cydia.

      Getting the user to install malicious software has always been and will always remain the most effective way of spreading it. Doesn't matter what the platform is and in the end, there is only so much you can do to protect stupid people from themselves.

  • Does it play Flash or not?

  • "spreads via unofficial app stores"

    So... if you use the official Play store you're not going to be exposed to this?

    What exactly are the benefits of using an "unofficial app store"? Pirated apps? Apps the Play store won't carry? Because all I've seen about the "unofficial" ones is they seem to be a major source of malware.

    • What exactly are the benefits of using an "unofficial app store"? Pirated apps? Apps the Play store won't carry? Because all I've seen about the "unofficial" ones is they seem to be a major source of malware.

      In all seriousness, and without a hint of Trolling, the main "advantage", AFAICT, is that it makes you feel superior to users of iOS, because only you have true "freedom".

      Unfortunately, like in life, with "freedom" comes responsibility; and up until just recently, Android really didn't give users a fighting chance when it came to its Permissions model.

      In fact, the very combination of "Sideloading" (or lack of Walled-Garden-ness) and Android's clearly pathetic "all-or-nothing" Permissions Model (who the

    • by tlhIngan ( 30335 )

      What exactly are the benefits of using an "unofficial app store"? Pirated apps? Apps the Play store won't carry? Because all I've seen about the "unofficial" ones is they seem to be a major source of malware.

      Other than sticking your tongue out at iOS users, there are a couple of stores that are good.

      I have the Amazon app store, which is nice since Amazon loves to give away paid apps for free - through their daily giveaways as well massive monthly giveaways and even their new one where the more you use it, t

  • Why are those that we trust with our finances allowing funds to be transferred without live, in person, face to face interaction? It's not like none of us could go to the local branch verifying our identity right? Money is all about trust after all.

  • In conclusion (Score:2, Informative)

    by Swampash ( 1131503 )

    Android

  • Yet another reason why Adobe Flash should die a much faster death.
  • It's not really two-factor if one of them comes from the same machine being used for access.
  • by JustAnotherOldGuy ( 4145623 ) on Friday March 11, 2016 @01:14PM (#51678649)

    "The banking malware ... disguises itself as Flash Player..."

    That's funny, usually it's the other way around.

We can found no scientific discipline, nor a healthy profession on the technical mistakes of the Department of Defense and IBM. -- Edsger Dijkstra

Working...