This dangerous Android spyware could affect millions of devices
>
An updated version of the Banker Android (opens in new tab) Spyware has been detected, stealing the victim’s banking information and in some cases even money.
According to cybersecurity researchers at Microsoft (opens in new tab), an unknown threat actor has launched a smishing campaign (SMS phishing) to try to trick people into installing TrojanSpy:AndroidOS/Banker.O. This is malware (opens in new tab) variant capable of extracting all kinds of sensitive information, including two-factor authentication (2FA) codes, account credentials, and other personally identifiable information (PII).
What makes this attack particularly troubling is how covert the entire operation is.
Grant large permissions
Once the user has downloaded the malware, they must grant certain permissions such as MainActivity, AutoStartService, and RestartBroadCastReceiverAndroid.
With it, it can intercept calls, access call logs, messages, contacts, and even network information. By being able to do these things, the malware can also receive and read two-factor authentication codes that come in via SMS, and delete them to make sure the victim doesn’t suspect anything strange.
To make matters worse, the app has a silent command, which means that the 2FA codes that come in via SMS can be received, read and deleted in complete silence – no notification sounds, no vibrations, no backlight, nothing.
The threat actors behind the campaign are unknown, but what Microsoft does know is that the app, first seen in 2021 and significantly upgraded since then, can be accessed remotely.
The scale of the attack is also unknown, as it is difficult to determine exactly how many people will be affected. Last year, Banker was observed to attack only Indian consumers, and since the phishing SMS bears the logo of the Indian ICICI bank, it is safe to assume that Indian users are also in the crosshairs this time around.
“Some of the malicious APKs also use the same Indian bank logo as the fake app we investigated, which could indicate that the actors are constantly generating new versions to keep the campaign going,” the researchers said.
Through: The register (opens in new tab)