The Acecard Android banking Trojan leaves little to chance. The malware is capable of attacking 50 separate online financial applications, bypass Google Play Store security and act as part of a phishing scam.
The Kaspersky Lab Anti-malware Research Team called Acecard “one of the most dangerous Android banking Trojans ever seen” specifically noting the amount of versatility built into the malicious software. In addition to attacking banking apps, it has the ability to overlay phishing windows on several popular social media sites, including Facebook, Instagram, WhatsApp, and it can also do so with Gmail, PayPal's mobile app and Google Play and Music.
“It can be distributed under the guise of another programme, via official app stores, or via other Trojans. The combination of Acecard's capabilities and methods of propagation make this mobile banker one of the most dangerous threats to users today,” Roman Unuchek senior malware analyst at Kaspersky Lab USA told SCMagazine.com in a Monday email.
Acecard has been around since February 2014, but for an unknown reason lay dormant. However, usage picked up starting mid-2015 and spiked during December 2015. During this period Kaspersky saw 6,000 attacks take place, primarily in Russia, Austria, Germany, France and Australia.
Acecard's increase in activity started in June 2015. This coincided with a major modification made to the malware that was spotted by Kaspersky in September 2015 when the ability to overlay even more banking apps for phishing purposes. In October the malware was upgraded so it could attack the three largest US banks and in December a Spanish bank was added to its target list.
Unuchek believes the gang behind Acecard is the same one that developed the first TOR Trojan for the Android operating system, Backdoor.AndroidOS.Torec.a.
“The evidence for this is based on similar code lines (names of methods and classes) and the use of the same Command and Control servers. This proves that Acecard was made by a powerful and experienced group of criminals, most likely Russian-speaking,” he said.