Russian speaking hackers are targeting Android devices installed with apps from nearly all Australian banks in order to intercept SMS codes used to authorise transactions.
Receiving an SMS from your bank to authorise a payment is far more convenient than the more secure alternative enforced by some European banks.
However, a criminal group, dubbed The Postal Group, may push Australian banks towards the European model after turning its sights on Android smartphone apps from Australia’s biggest banks.
Apps from the Commonwealth Bank of Australia (CBA), Westpac, National Australia Bank (NAB), are included in a hit list in Android malware known as “OpFake”, according to a new report from Poland’s computer emergency response team (CERT.PL)
The “OpFake” Android malware has been around in various forms for several years, however a recent sample discovered by CERT.PL reveals its ambitions for Australia.
On infected smartphones, the malware presents a pop-up message over Google’s Gmail app that requests the target enter an email address and password. It will also present a request for credit card information in a pop-up when Google’s app store for Android, Google Play, is active.
The sting for the SMS one-time code system used by most Australian banks is that the malware looks for signs of installed apps that connect to the banking websites. These include the Bank of Queensland, CBA, NAB, St George, SunCorp and Westpac. In other words, Australia’s big four and the major brands behind them.
Although the malware doesn’t explicitly go after the bank account usernames and passwords, the information it may have collected from an infected smartphone — a Gmail user name and password — could be enough to hijack a transaction in the future. Studies have shown that users frequently reuse passwords from one account on others.
“In the case of this app, attackers do not need a computer malware counterpart to transfer funds from the victim’s account. By taking control of the user messages, they have access to the SMS-based one time password,” CERT.PL noted.
“By using the application overlay technique they can also get the user to send login and password details. So, by attacking only a user’s phone they gain almost complete control over user’s bank accounts,” it added.
The Android malware is not isolated to Australian targets and seeks out signs of apps from British banks, including Santander, RBS, Lloyds, Halifax, HSBC and Barclays. It can also be considered a possible emerging threat since CERT.PL's data also shows that only a few hundred devices have been infected across the globe.
CERT.PL has named the hacking crew behind the Android malware "The Postal Group" because it has previously posed as postal services in Australia, Poland, Turkey, Denmark and the UK to target victims with file-encrypting malware.
The group has paid special attention to Australia, posing as Australia Post, the Australian Federal Police (AFP), and NSW Office of State Revenue to dupe victims in different campaigns between 2013 and today.
Perhaps the highest profile target in which Australia Post was used as the bait was ABC New 24, whose live programming was disrupted briefly after one of its PC was infected by crypto-ransomware last October.
More recently the AFP’s logo was used to convince targets to download a supposed infringement notice that actually was a file that installed the CryptoLocker malware.
CERT.PL has also tied the group to the 9,000 PCs in Australia that CSO Australia reported in December had been infected with TorrentLocker ransomware.
As security firm ESET noted at the time, the malware stole each victim’s address book and email credentials before locking files using a strong encryption algorithm, likely in order to build a database of future targets.
Typical of ransomware attacks, it demanded payment in Bitcoin via a Tor-protected hidden website in exchange for the key to unlock the files.
Blast from the past?
Try our new Space Invaders inspired video game NOW.
What score can you get ?