05/01/2018
Android malware disguises itself as Flash Player, targets banking apps
A new Android Banking Trojan known as "Android.banker.A9480" has been discovered that targets over 232 banking apps including some of the Indian banks. Discovered by Quick Heal Security Labs, the new Android banking malware is claimed to be designed for stealing login credentials, hijacking SMSs, uploading contact lists and SMSs on a malicious server. It is also able to display an overlay on top of your existing apps and capture user inputs from that.
This malware targets over 232 banking, cryptocurrency and e-commerce apps.
Targeted banking apps in India include:
axis.mobile (Axis Mobile)
snapwork.hdfc (HDFC Bank MobileBanking)
sbi.SBIFreedomPlus (SBI Anywhere Personal)
hdfcquickbank (HDFC Bank MobileBanking LITE)
csam.icici.bank.imobile (iMobile by ICICI Bank)
snapwork.IDBI (IDBI Bank GO Mobile+)
idbibank.abhay_card (Abhay by IDBI Bank Ltd)
com.idbi (IDBI Bank GO Mobile)
idbi.mpassbook (IDBI Bank mPassbook)
co.bankofbaroda.mpassbook (Baroda mPassbook)
unionbank.ecommerce.mobile.android (Union Bank Mobile Banking)
unionbank.ecommerce.mobile.commercial.legacy (Union Bank Commercial Clients )
The malware also targets a multitude of apps from international banks, cryptocurrency wallets, Amazon Shopping app, eBay and AirBnB among others.
The infection is designed and distributed as a Trojan. Like the wooden horse from Greek mythology, the malware is disguised as a legitimate app. Android.banker.A9480 is distributed through third-party app stores disguised a Flash Player app. The legitimate Flash Player, despite its own questionable history with internet security, is widely used by millions to access various web applications.
Once an unassuming user installs the malicious app, it will ask the users to activate administrative rights. If the user tries to deny the request the app will keep throwing continuous pop-ups until admin rights are given.After getting admin rights, the malicious ap in the background carries out tasks like keep checking the installed app on the victim’s device and particularly look for 232 apps which include banking and some cryptocurrency apps.
The report further adds that the malware can intercept all incoming and outgoing SMSs from the infected device. This enables attackers to bypass SMS-based two-factor authentication on the victim’s bank account (OTP).
If anyone of the targeted apps is found on the infected device, the malware will throw up a fake notification screen that leads the user to a login screen, both designed to mimic the original app. From here the app can easily steal the user’s banking ID and passwords
How to stay safe
1.Do not install 3rd party app and disable installation from ‘Unknown Sources’.in device setting under developer options
2.As an extra precaution, go through the list of permissions every app requests from you during installation. If there’s something there that’s it shouldn’t need, like access to contacts lists and ability to read messages be on guard.
if you’re installing a Flashlight application, do ask yourself why exactly does it require permission to view your contacts, messages and even your GPS location, by simply using a bit of common sense, a lot of security breaches can be avoided.
Knowledge is power when it comes to living in the age of internet, by knowing that Adobe has stopped supporting Flash Player development for all Android devices, you already know that any application offering itself as a Flash Player is already quite shady, besides, with more websites and streaming services making the switch to HTML5, it’s only a matter of time until Flash is no longer needed.
Removing it
Simply go to your phone’s Settings -> Security -> Device Administrators and remove Flash as a device administrator, there’s no reason for Flash to have administrative privileges, what you see here is simply the malware.
After removing it from device administrators, go to your Settings -> Applications and uninstall it.
