A new Android banking trojan holds up anti-virus solutions to ensure it steals all the financial information it needs from its victims.
Fortinet’s security research team says the malware is currently masquerading as an email app. Yeah… one that asks for a whole bunch of administrator privileges, including the right to lock the screen and set storage encryption.
Like other Android banking trojans out there, it also has the ability to receive and send SMS messages. That feature helps the malware to bypass SMS-based two-step verification (2SV) if a user has that feature enabled on their accounts.
Upon successful installation, the malware starts up three services.
The first, known as GPService2, monitors all processes to determine if and when the user loads up a banking app that’s included on its list. If it detects that activity, it communicates with its command and control (C&C) server to deliver its payload: a fake login page that pops up over the legitimate banking app to steal credentials.
Some users might detect something’s not right and try to launch an anti-virus app. But as Fortinet’s research team discovered, this malware won’t be having any of that.
The malware detects whether the user is trying to run an anti-virus app, by checking a list which includes:
If an anti-virus app is detected, the user is returned to the HOME launcher screen.
FDService, the malware’s second service, comes with its own targeted app list. It’s currently empty, though that list could populate with other banking apps or even social media platforms in the near future.
The trojan’s third and final service, AdminRightsService, does exactly what its name implies: request admin rights when the malware launches for the first time.
Currently, the malware is targeting 15 different German mobile banking apps:
Whether the trojan stops there and doesn’t add more apps remains to be seen.
As all of the targeted apps are so far in German, the authors could use geolocation to limit their campaign’s scope. Perhaps they themselves speak only German and therefore don’t want to go through the hassle of translating their fake login pop-ups or dealing with international currencies.
Alternatively, maybe the sky’s the limit for these attackers, meaning we’ll see similarly malicious apps spread to other colleges.
Acknowledging that uncertainty, it’s a good idea for users to download apps only from trusted developers on official app stores. They should also exercise caution around suspicious links and email attachments as well as install a security solution onto their mobile devices.
Finally, users might want to think about not conducting any banking on their mobile phones unless it’s absolutely necessary. That way the malware would never be able to steal any of a user’s sensitive financial information.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
2 comments on “Anti-virus away! Android banking trojan blocks security apps to evade detection”
Great content here Graham and team… I wonder if that is the list or if it's longer?
I don't think there is a reason any app should have the privileges shown in that screen shot. That should be warning #1