Russian bank app changes password when users attempt removal

Researchers discovered a Russian fake banking application that can evade detection by changing a device's password if the victim tries to remove the app.

The malicious app, Fanta SDK, appears as an update to the legitimate Russian banking application Sberbank, according to a Trend Micro post. The app requests administrative privileges, then after logging-in, appears to run normally. Using the application's credentials, the app allows attackers to “steal money silently in the background,” wrote Trend Micro mobile threats analyst Jordan Pan.

“When users do realise that the app is malicious, they may try to uninstall the app. They won't be able to do this unless they remove the admin privileges,” Pan wrote. “When the user does so, the malware changes the phone's password, locking users out of their mobile units.”

The malware involves a functionality that is similar to Operation Emmental, a campaign that used Android malware to bypass two-factor authentication, and infected banking customers in Austria, Switzerland, Sweden, and Japan, among other countries.

The app also affects the functionality of the Google Play store. When users try to open the Play store using an infected device, the malware closes the Play application and opens a fake version of the store, so the device may be infected with other malicious apps.