Comodo Threat Research Labs has recently detected the Gugi/Fanta/Lime family of financial malware within the Russian banking sector.
According to the company, the malware places counterfeit program interfaces on top of authentic financial applications such as mobile-banking apps and the Google Play Store, and tricks users into revealing sensitive information such as login credentials and credit card details.
The infection typically begins with a spam SMS message that contains a hyperlink to a malicious website. Social engineering is used to help “phish” for gullible users, luring them into downloading malware onto a target device such as a smartphone.
According to Comodo Labs, there are numerous technical aspects of Gugi/Fanta/Lime to highlight. It can circumvent Android 6 security features, make telephone calls, manage SMS messages which is useful for defeating two-factor authentication, and communicate with command-and-control (C2) servers via the standard web port 80 so there is no need to open an extra port on the device.
Still, this malware must request its permissions from the user. But once a victim has clicked on the first malicious link, the user is going to have a hard time getting rid of it. The malware will attempt to overlay fraudulent interfaces on top of real ones, and it usually gives the victim only one choice, such as “Activate” or “Log In”.
With no other option, many users allow system permissions or give up their credentials. In the event a user declines permission, Gugi/Fanta/Lime often attempts to lock the device as with ransomware, and the victim is forced to remove the malware manually, which is beyond the technical capabilities of most users.
The company said: “Hackers today go directly after endpoints and end users, so we all must be vigilant anytime we receive unwanted or unsolicited hyperlinks, attachments, or requests to grant privileged system access. And as always, install security software and keep it up-to-date.”
Concluding, it added: “Gugi/Fanta/Lime infections have been on the rise in 2016, primarily in Russia, but there is little reason to think that similar phishing strategies will not target users elsewhere. Therefore, it is critical for both individuals and enterprises to understand the dynamics of this threat, and to take precautions, including awareness training in social engineering.”