Android banking apps under attack in Australia

It isn’t easy being an Android owner down here in Australia, or even in New Zealand, as customers of the major banks become threatened by a nasty piece of malware.

There’s never been a better time to grab one of the free mobile security apps on Android, or even one of the paid ones, especially now that mobile banking is under threat from a particularly nasty piece of software that attempts to pose as the login for a bank you use to hijack your credentials and send them to a cybercriminal.

Security company ESET has picked up on an app that does exactly this, with the app pretending to be a copy of Adobe’s Flash Player for Android, which doesn’t exist anymore, much like Internet Explorer for Mac. In both of these cases, if you go looking for them and “find them”, chances are you’ll be downloading a virus of some kind.

And that’s what this fake version of Flash is, with the malware coming from a random location and running in the background once installed. From this point, the fake Flash sends device information to a server without your permission, gathering the names of applications installed on your device and sending this list to someone on the other end.

If you have an app that this scam can attack, it will, and once it knows you have an app of say St George, ANZ, or Westpac, it will load up a login screen on your phone pretending to be that bank.

Here’s the kicker: while the overlay isn’t terribly convincing, you can’t actually get out of the login screen without entering your details, making it the sort of thing people will follow regardless of if they believe it or not.

eset-malware-banking-app-2016-01

When the details are entered, however, they’re sent to a server without your permission, and the login screen will close, as your details are transmitted into the ether and your bank accounts broken into not long after.

Worse, ESET’s people say that two-factor authentication can be bypassed, with the hacker able to intercept text messages from the bank and remove them from your device, stopping you from thinking anything is wrong.

“This is a significant attack on the banking sector in Australia and New Zealand, and shouldn’t be taken lightly,” said Nick FitzGerald, Senior Research Fellow at ESET.

“While 20 banking apps have been targeted so far, there’s a high possibility the e-criminals involved will further develop this malware to attack more banking apps in the future.”

Of those 20 banking apps, quite a few are located in Australia, with Westpac, Commonwealth Bank, St. George Bank, NAB, ANZ, Bendigo Bank, and Bankwest all included, while New Zealand and Turkey are both affected alongside Australia.

The inclusion of Turkey is a rather surprising one, though Fitzgerald notes that there’s more than just banks included here, with services from other parts of the world.

eset-malware-banking-app-2016-02

“The targeted apps list also includes eBay and PayPal among other non-banking apps,” he said. “Although not necessarily directly attacked in the malware variants we have seen, the inclusion of these apps in that list may be signs of other targets the malware’s authors are considering.”

On the plus side, security apps for Android should be able to block this without any problems, so making sure your Android device has one of these — and there are a lot of them — is vitally important, especially if you’re at all concerned by the prospect of being tricked into handing your details over to a scammer.

“Mobile malware is becoming more common and complex,” said Fitzgerald. “Smartphone and tablet users should be aware of the ramifications of entering personal information into potentially fake login screens.”

Alternatively, don’t try to install applications outside of the Google Play Store unless you know what you’re doing, because that’s the way this one is getting in, though we’d do it both ways, keeping activity on Google and running security software. It’s just safer that way.