An old banking trojan that was once limited to Russia has been updated to catch Australian banking customers.
According to Russian antivirus firm Dr. Web, at the beginning of 2016 Australian smartphones represented the fourth largest group to be infected the an Android banking trojan it labels “Android.SmsSpy.88.origin”.
The trojan first emerged in 2014 initially targeting banking customers in Russia and CIS countries, but a new version emerged in late 2015 to target non-Russian banking customers, including customers at six major Australian banks.
According to Dr. Web, it is designed to steal login credentials from smartphones with banking apps installed and send them to the attacker’s server. The malware monitors about 100 banking apps, including PayPal and Google Play.
The six Australian bank apps it monitors include those from Westpac, St. George, NAB, BankSA, ING Direct Australia and Bankwest, a Dr. Web spokesman told CSO Australia.
After identifying the presence of the real banking app, the malware generates a bogus form that looks like the victim’s bank app login page to trick the user into exposing their credentials.
It also captures SMS in order to grab SMS two-factor authentication codes that can be used to authorise overseas transfers.
Australian Android devices represented nearly 7 percent of 40,000 mobile devices worldwide that were compromised by the malware. Spain and India had slightly more infections than Australia, while devices in Turkey accounted for 18 percent.
Dr. Web said the trojan affected devices in 200 countries, most of which were running Android 4.4 KitKat, but also Android versions 5.1, 5.0, 4.1, and 4.1.
Like many other pieces of Android malware, it’s being distributed outside of the Google Play store and is packaged in a bogus version of Adobe Flash Player, supposedly for Android. Flash does not support any of the versions above.
Rival security vendor ESET reported a similar piece of Android malware earlier this year. Again, the trojan was being distributed outside of Google’s app store in a fake Flash installation and monitored the Android apps of Westpac, ANZ, Commbank, and NAB,.
Dr Web’s spokesman said these were two different pieces of malware, despite some superficial similarities.
The other feature that’s been added since 2014 is a ransomware lock page feature. Fortunately it does not encrypt data on affected phones.
Dr. Web notes that the trojan is being advertised on underground forums and sold as a service, offering customers a convenient administration panel to manage infected devices.