Android Banking Malware SlemBunk Part of Well-Organized Campaign

itwbennett writes: Researchers from FireEye first documented the SlemBunk Android Trojan that targets mobile banking users in December. Once installed, it starts monitoring the processes running on the device and when it detects that a mobile banking app is launched, it displays a fake user interface on top of it to trick users into inputting their credentials. The Trojan can spoof the user interfaces of apps from at least 31 banks from across the world and two mobile payment service providers. The attack is more complicated than it appears at first glance, because the APK (Android application package) that users first download does not contain any malicious functionality, making it hard for antivirus apps and even Android's built-in app scanner to detect it.

The fool and his money

Those who are foolish enough to get duped by a driven-by download deserve getting their money separated from them.

Re:The fool and his money

[BarbaraHudson]

The latest versions, however, are distributed through drive-by download techniques, predominantly when visiting porn websites. Device owners are alerted that in order to view the videos on the site they need to update their Flash Player and an APK (Android application package) is offered for download.

Porn. Well, you wanted to see people getting f*cked, didn't you? Now take a selfie :-)

Never

[jodido]

This is why I don't and never will have a banking app on any mobile device.

Re:Never

[CastrTroy]

I do all my banking on a virtual machine on my desktop that I only use to visit the banking websites.

Re:Never

[sexconker]

I do all my banking at a bank.

Actually, I tried to, but half of the time they told me shit like "Nah, we can't do that at the bank, go online to do it." or "Nah, we're Bank of America and you need to call Banc of America, despite the fact that your card says Bank of America on it.". I closed my fucking accounts when they said they wouldn't block the repeated fraudulent ACH withdrawals from my checking account. They said they would block transactions from XYZ for a specific amount, $N, but XYZ was free to steal $N+1 or $100*N at any time.

I'd say that more than half of the insecurity and general fucked-upedness of banking in the US resides with the banks, not with the methods people access the banks. The fact that we're barely transitioning to chip-and-sign (not even chip-and-pin) is a great example of how little they care.

Re:Never

[ElectricHellKnight]

I do all my banking under my mattress.

Re: Never

You forgot the bit about Appy Apping APPS. -PCP

Re: Never

Found the masterbanker.

Re:Never

[DogDude]

Banking with banks is dumb unless you're ultra-rich. Everybody else should use credit unions.

Re:Never

[antdude]

How about on computer and in person? Same thing can happen. :P

Re:Never

[thegarbz]

I used to do it on my Windows 10 machine, but after advice here on Slashdot I now only do internet banking on an old vanilla Windows XP machine running IE6. I heard that Windows updates are bad, and antivirus products are worse so I have gone back to basics to keep me safe.

Re:Never

[sociocapitalist]

This is why I don't and never will have a banking app on any mobile device.

Unless paired with a physical token...?

Re:Never

[edtice1559]

I hope that the OP was going for a +1 Funny although I'm probably now going to get a -1 because I read TFA. Banking on your phone is still the most secure option. If you have a Nexus branded device or a third-party one with Google Play services and get your apps from the Play store, there's no risk here whatsoever. This only affects those who have allowed apps from "untrusted" sources. The fact that anti-virus can't pick it up only shows that anti-virus is stupid and you shouldn't be running it on your phone. Drive-By downloads can sometimes happen on desktop windows machines due to bugs. But on Android, it's impossible. You might as well say you won't bank on your desktop machine. The whole point of running stock Android is that Google can protect your garden better than you can. Some will be frustrated that Google holds the keys so to speak, but the fact is that they are probably better at managing devices than I would be. They have a bit more scale.

Re:Never

[edtice1559]

Well banks are pretty insecure. You show them your ATM card and 4 digit PIN and you can do just about anything. Ten years ago, I did my banking somewhere that they used a fool-proof biometric identification system. The chances of walk-in fraud were pretty low. Now all you need is to skim an ATM card and PIN and you can do all kinds of transactions inside the bank without question. The ATMs have a transaction limit to prevent large fraud. But you can do a lot more at the teller.

Re:Never

Banking on your phone is still the most secure option.

Which other options are you considering?
Do you just mean it's more secure than IE6?
People lose cell phones a lot more often than they lose desktop computers.
Phones get a lot more malware than PCs running non-Microsoft OSes.

Re:Never

[lhowaf]

You're right...and the chip-and-sign cards have nothing to do with security. It is just the banks shifting liability for fraud away from themselves and onto retailers.

Thank God for updates ...

[Billly+Gates]

... oh that is right I need to be vulnerable for a year because Samsung and the carriers want me to buy a new phone to be more secure

Re:Thank God for updates ...

... oh that is right I need to be vulnerable for a year because Samsung and the carriers want me to buy a new phone to be more secure

Next time buy Nexus.

Re:Thank God for updates ...

[mrchaotica]

Where can I get quick and consistent updates and a removable battery and micro-SD slot at the same time?

Re:Thank God for updates ...

[JazzLad]

quick and consistent updates
removable battery
micro-SD slot

Pick 2.

unless one of them is quick and consistent updates, then pick 1

Why are you banking on your phone?

Why are you banking on your phone? Your phone is an insecure computer on an insecure network with a store that may potentially install malware. This computer may come pre-installed with malware that you cannot uninstal. You don't know.

Why are you using this device for banking?

Re:Why are you banking on your phone?

[Goaway]

Oh, so you're an Android user, then.

Re:Why are you banking on your phone?

Yeah, good thing there's no malware on the other popular smartphone platform.

Re:Why are you banking on your phone?

Because iPhone users have thrown all their money away for an overpriced and overly-restricted phone. iOS users don't need banks, they hand their money straight to Apple.

Android. Banking, on Android. On a cell phone.

I love the chutzpah.

Re: How do you like your lack of control now?

This malware isn't from the Google play store, its from some porn site. The summary is garbage. Summary: user vists porn website, a pop up says please update flash. User clicks OK and downloads a .apk file. User has to go into options to allow side loading of apps and install the .apk he just downloaded. No shit bad stuff will happen.

Re:How do you like your lack of control now?

[Namarrgon]

Malware like this is possible because Android *does* offer you control, like sideloading. It's iOS that restricts control (and apparently many users need to be controlled for their own good).

Google can also nuke this shit, but only if its Play Services is installed. Most Chinese android devices are unassociated with Google, apart from using the AOSP codebase.

Re:How do you like your lack of control now?

[Namarrgon]

Really? Can you link me to the the source page on AOSP where some of these spying APIs are defined?

Re:How do you like your lack of control now?

I think OP is referring to the Google Apps blobs.

Luddites

[ThatsNotPudding]

Maybe they had a point. Every day has news of more and more hacking exploits and vulnerabilities and you can extrapolate how many more are still under wraps. On top of this, we now have proof all our governments (and most corporations) spy on us and yet still want even more access, resulting in true privacy becoming as precious and diminishing as potable water.

The boiled frogs are about done.

Re:How do you like your lack of control now?

[Namarrgon]

Which are not built into Android, and are certainly not part of the core OS.