An Android that robbed your bank account

It was predicted, it was feared, and the day has come.  An Android Trojan that has the ability to steal money from bank accounts has emerged in Russia. Kaspersky Lab Mobile expert, Serge Malenkovich takes a closer look, and shares top tips to avoid falling foul of the cyber-criminals.

We have discussed all of the dangers posed by potential smartphone viruses. Your smartphone contains private and financial data, valuable to cybercriminals. Nevertheless, most “commercially-oriented” Android malware steals from users by sending text messages to premium-rate numbers. Although unpleasant, this kind of theft rarely inflicts major damage, because most accounts associated with cell phones rarely contain a significant amount of money. Moreover, responsible network operators often refund users affected by this type of theft. So it’s no surprise that thieves have now invented more effective tools.

Kaspersky Lab analysts recently discovered an Android Trojan that was designed to execute remote commands issued by a hacker. It doesn’t send premium SMS automatically, but it is able to steal all incoming and outgoing texts, call logs, phone IMEI, network IDs and other data. A thief remotely commands the infected smartphone to send arbitrary SMS as well as setup incoming calls and/or message filters affecting specific phone numbers. This toolset is used to check if a phone is attached to a mobile banking service, and after this, hackers try to transfer their victim’s money.

The test, conducted in Russia, has shown, that hackers try to check if an infected phone is registered in Sberbank, a popular bank in Russia. The registered phone owner is able to withdraw a balance with the phone number in Russia. The daily amount of such a transfer is limited to $100 and requires additional confirmation, but hackers have all the instruments to confirm the transfer as well as prevent the legitimate owner from noticing any suspicious messages.  With any luck for the thieves, a Trojan could survive on a victim’s phone for many days, effectively emptying his or her bank account.

Russian hackers are well known in the cybercriminal world for establishing innovative theft schemes and software. After some initial testing in Russia, this Trojan might be resold to criminals in other regions to pull off the same scheme, as it is effective for any country and bank relying only on SMS for issuing payment instructions. To spread the Trojan, hackers could infect legitimate websites and redirect mobile users to malicious sites offering a “Flash player update.”

To avoid infection, follow the Android user golden rules:

  • Switch off “Allow installation from unknown sources” in security settings
  • Use Google Play, do not use untrusted third-party app stores
  • Before installing a new app, check every permission requested by this app and consider if those permissions are reasonable for that type of app
  • Check app ratings and downloads count, avoid applications with low ratings and a small number of downloads
  • Use full-scale security protection for your Android

This blog entry first appeared on the Kaspersky Lab blog on August 1, 2013. Serge Malenkovich is a Kaspersky Lab Mobile expert.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: