It’s raining. It’s pouring. This fake weather app is stealing your credentials

Malicious app infiltrated the official Google Play Android app store.

David bisson
David Bisson
@
@DMBisson

It's raining. It's pouring. This fake weather app is stealing your credentials

A new Android banking trojan poses as a legitimate weather forecast app in an effort to steal users’ banking credentials.

The malware, dubbed Trojan.Android/Spy.Banker.HU, mimicked the legitimate Good Weather app to skirt Google’s security mechanisms and infiltrate the Play Store.

The malicious version of the Good Weather app

Sign up to our free newsletter.
Security news, advice, and tips.

Spy.Banker.HU was available for all of two days before ESET reported it. But that doesn’t mean the malware isn’t preying on users who happened to install it during that time period.

Let’s take a look at how the malware works.

Upon installation, the fake app’s weather-related icon disappears. The trojan then requests administrative privileges for a “System update.” It needs these to execute its malicious activity.

Malicious app activity

Whoa… hold on a second.

“Change the screen-unlock password”? “Lock the screen”?

Those are some pretty bold requests for a weather app!

But that’s exactly what Spy.Banker.HU wants. As ESET researcher Lukas Stefanko explains in a blog post:

The trojan displays a fake login screen once the user runs one of the targeted banking apps and sends entered data to the attacker….

As for the device locking, we suspect this function enters the picture when cashing out the compromised bank account, to keep the fraudulent activity hidden from the user. Once locked out, all victims can do is wait until the malware receives a command to unlock the device.

Like other banking trojans that have come before it, the malware also has the ability to intercept SMS messages. This allows the malware to raid a user’s banking account even if they have SMS-based two-step verification enabled.

To defend against this malware and others like it, users should review the privileges of an app carefully before they install it. If what an app is requesting doesn’t line up with its intended function, they should find an alternative.

It’s also a good idea for users to consider keeping an anti-virus solution installed on their mobile device.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.