Android mobile banking trojan uses layered defences to avoid removal

Dubbed Android/Spy.Agent.si, the malware has targeted the customers of 19 banks located in Turkey, New Zealand and Australia.
Dubbed Android/Spy.Agent.si, the malware has targeted the customers of 19 banks located in Turkey, New Zealand and Australia.

Researchers at ESET have spotted a new Android banking trojan that camouflages itself as a legitimate mobile banking app, but instead of giving access to a person's bank account it steals login credentials.

Dubbed Android/Spy.Agent.si, the malware has targeted the customers of 19 banks located in Turkey, New Zealand and Australia. ESET has discovered several particularly nasty traits associated with this malware. Not only does it properly mimic the bank's FlashPlayer-based mobile app to help sucker in the victim, but it also can bypass the SMS two-factor authentication.

ESET malware researcher Lukas Stefanko wrote that once the app is downloaded it first requests the user grant it administrative rights for the device. When this is accomplished a series of defensive measures goes to work to protect and hide the app from view.

Obtaining the administrative rights to the device is its first line of defence. This alone makes the malicious software difficult, if not impossible, to uninstall. The next step the malware takes is to remove the bank's Flash Player icon from view. Next, the malware contacts its command and control server where it transmits basic information like model type, IMEI number, language, software development kit version and whether the device administrator is activated.

“The malware then gathers the package names of installed applications (including mobile banking apps) and sends them to the remote server. If any of the installed apps are targets of the malware, the server sends a full list of 49 target apps, although not all of these are directly attacked,” Stefanko said.

The next step in the assault has the malware create a false login screen that can only be removed when the device's log in credentials are inputted. Once this data is gathered the malware goes on a short tangent and collects other data like the victim's Google account information.

Once fully installed the malware can intercept and divert the real bank's two-factor authentication SMS text so the victim is unaware anything is amiss.

Stefanko noted that removing the malware is difficult for the user because the person gave up his or her administrative rights to the device. If the victim does try the malware sends a warning message that data may be lost if the action is continued. However, if the owner is smart and clicks OK the software can be removed. However, there is also a chance that the control server will deactivate all administrative rights and not allow anything to be removed.