Android Banking Trojan Masquerades As Flash Player, Circumvents 2FA

A newly found Android trojan is targeting customers of large banks in Australia, New Zealand and Turkey. The banking malware, flagged as Android/Spy.Agent.SI by ESET security firm, disguises itself as Flash Player and spreads via unofficial app stores. It can steal login credentials of users from 20 mobile banking apps, and can also mimic login screens of popular services such as PayPal, eBay, Skype, WhatsApp and several Google services. The Android trojan is able to intercept SMS communications, which in turn, allows it to circumvent the two-factor authentication.

Intercept SMS?

[cerberusss]

How can an app actually intercept SMS? Is this common on the Android platform, that apps can intercept that kind of deep system stuff?

Re:Intercept SMS?

[righteousness]

Any apps with the right permissions can read and edit SMS.

Re:Intercept SMS?

[Firethorn]

And, since you can't actually deny permissions in Android(without more work), and it seems that 'all apps' love having access to way more than they should, it's hard to find 'good' applications that might not be a trojan.

Re:Intercept SMS?

[Chrisq]

This is one of my pet hates about android (and I'm generally a fan). A lot of apps ask for that permission but just for registration. Up until the latest version (and still on one of my phones) you had to accept this permission to register but then had no way to revoke it afterwards, so you had to hope for the lifetime of the app that it wasn't compromised and wouldn't start messaging premium-rate SMS services or forwarding your message.

Re:Intercept SMS?

You should try Android 6, where apps need to ask permission before they first use the feature (like on iOS). Earlier versions of Android were all or nothing, but recent versions have fine-grained control.

Re:Intercept SMS?

Because the security model in android is shit. you either have to give access to EVERYTHING or nearly nothing.

Re:Intercept SMS?

[castionsosa]

That is only if the app developer allows that in the manifest. Otherwise, the app falls back to the all or nothing permission model.

The best solution is XPrivacy/XPosed, but IIRC, that hasn't worked since Android 5 came out. Second best solution is either CyanogenMod, or if you can read Chinese and choose to trust the app, LBE Privacy Master.

Re:Intercept SMS?

I was just looking at that on my new device running android 6 and that doesn't appear true. Either every application I have installed allows me to enable and disable permissions, or the OS just allows it. In fact, when I go to disable a permission it gives a warning saying "This app was designed for an older version of Android. Denying permission may cause it to no longer function as intended."

Clearly I can disallow permissions, it just might break the app and is in no way enforced by the manifest as you have stated.

Re:Intercept SMS?

[macs4all]

That is only if the app developer allows that in the manifest. Otherwise, the app falls back to the all or nothing permission model.

And, more importantly, only if your phone has Android 6 available, which the vast majority in actual use likely don't.

And don't go on and on about installing custom "ROMs", Cyanogen, etc. Only about 1% of Android users outside of Slashdot would even know how to do that, let alone figure out where to get a TRUSTWORTH custom "ROM", etc.

So yeah, good that Android is FINALLY getting something akin to iOS' Security Model; but in reality, it will be half-a-decade before all Android phones are running Android 6 or above.

cream of the code contest comtinues

take up where we left off;; the first hobbyist whiner to submit a script that turns part of any web page into a virtual video camera, wins... sounds tough because it is... no successful entries in 4 years... cease fire stand down.. in the moms we trust..

So, safer than the Adobe Flash

Where can I get this?

Re:So, safer than the Adobe Flash

[Chrisq]

Where can I get this?

My thought exactly.... they had a lucky escape and only installed a banking trojan!

More Complete Pwnage

[mentil]

Devices have been 'pwned' before but it seems to be escalating, as malware used to just do 1 or 2 related malicious things (ad redirects/BHOs/ad banner replacements etc.).

I'm waiting for ransomware to hit mobile. "Oh you want to make phone calls? $20 to unlock that functionality. Browse the web? $20. Use apps? $20. Once you talk to your bank for 3 hours and get your money back, send the bitcoins to this address." It'll be cleverly priced at less than the cost of a replacement phone (maybe first determining the phone model) or the price of having it serviced by the manufacturer, or insurance deductible.

Other mobile ransomware might present itself as a message from your carrier: "Hey you're overdue. We're shutting off stuff until you pay up; click here to set up payment." and sure enough their data/voice/SMS are cut off aside from the 'convenient payment app'. It will probably be timed to activate at the beginning/end of the month, like when a bill would be due. They don't have to receive the money directly, the malware can fill up some 'legit' account (Xbox FIFA cards or whatever) in the background using the payment info, which the ransomers then access and drain.

I have a feeling Google tacitly allows Android's design to be pwnable, so that the Play store vetting is the only thing stopping your device from getting malware; discouraging use of 3rd party stores/piracy increases sales on their store (and thus them getting a cut) an amount probably greater than zero. The question is, is the bad publicity of malware bad enough to drive enough people to Apple that they lose more Play store sales than they gain?

Re:More Complete Pwnage

[Arnold+Reinhold]

Scroll down two stories to read the usual Slashdot sneering about Apple products.

Re:More Complete Pwnage

[macs4all]

I have a feeling Google tacitly allows Android's design to be pwnable, so that the Play store vetting is the only thing stopping your device from getting malware

If only that were true. But unfortunately, you have only a slightly better chance of actually getting a "clean", well-behaved App from the Play Store than you do from some random .ru site.

That's not 2FA

Using SMS on the same phone as the App isn't 2FA, your phone as one factor and your same phone as another factor does not make 2FA.
That's like saying you support 2FA by splitting the password field into 2 fields...
So what circumvented 2FA wasn't the Trojan but the user.
That's almost like the person who used an external PIN terminal without ever reading what it said and complained that a Trojan stole money despite using this "safe" method. You just can't win if your users are the attacker.

Re:That's not 2FA

Using SMS on the same phone as the App isn't 2FA, your phone as one factor and your same phone as another factor does not make 2FA. That's like saying you support 2FA by splitting the password field into 2 fields... So what circumvented 2FA wasn't the Trojan but the user. That's almost like the person who used an external PIN terminal without ever reading what it said and complained that a Trojan stole money despite using this "safe" method. You just can't win if your users are the attacker.

2FA is usually defined as "something you know" + "something you have". If the banking app asks you for a password (you know), and then also need sms to the phone (you have), that is definitely 2FA by most usual definitions. And what most services practice, with SMS as the second factor in login, or an authenticator app on your phone.

Re:That's not 2FA

Time to redefine the definition, then. Grandparent AC is absolutely right - if you've got the challenge functionality on the same device as the required response, then you've hugely undermined the point of 2FA. Rather than viewing the something you know/have/are from the point of the user, it should be viewed from the point of a potential third party. In this case, the third party malicious app doesn't see two factors - it knows the login, and it knows the challenge response after the SMS comes in.

Re:That's not 2FA

If you have a compromised phone that is phishing/MITM your input to that degree, would it make much difference if the 2FA code came from a separate code device in your pocket that you type in (to the malware)?

Re:That's not 2FA

[Zero__Kelvin]

Ladies and gentleman ... The above is a classic example of someone who either has no idea what they are talking about, or someone who is intentionally spreading misinformation. Rest assured that "SMS + Password" is indeed 2 factor authentication, regardless of which system is used to enter the password / secret.

The AC seems to think that physical possession of the smartphone somehow magically conveys the other factor (the password.) Clearly it doesn't.* The first factor is the possession of the phone (something you posses). The second is the entering of a secret (something you know). Since possession of the phone doesn't automagically help an attacker know the secret, the fact that I happen to use my phone to enter the secret rather than a different computer system is entirely immaterial.

* This clearly assumes that the smartphone owner doesn't choose to "Save Password" for the respective content / service provider(s).

Re:That's not 2FA

[Zero__Kelvin]

"2FA is always defined as "something you know" + "something you have"."

FTFY

Re:That's not 2FA

[Zero__Kelvin]

That isn't true. See also. . No need to reply ... Apology accepted.

Re:That's not 2FA

BS. It is NOT really two-factor if the device that provides the "what you have" is the device to which you enter the "what you know". It's arguably better than just the password, but in a real two-factor system you would obtain the "what you have" from an independent channel, say, a key-fob "token" device, or the phone, if you log in with the laptop, PC, or tablet. Otherwise, it is NOT a "what you have", because you got it through the same device you're using to log in. SMS can be a second factor, but ONLY if it provides you something you can use through an independent channel.

Re:That's not 2FA

[Zero__Kelvin]

You are an idiot who doesn't have any idea what he is talking about. That would be bad enough on its own, but I just got done explaining to you why you are a clueless idiot. The fact that you can't figure it out even after it has been explained to you is pathetic. Let me try to explain it to you again. Dear moron: The phone is something you have. The password is something you know. When taken as an aggregate that's two factor auth. Period. Your belief that it matters haw the second factor was communicated is a direct indication of your complete lack of understanding of computer security. Off you go now rank amateur.

Fake data

I think the only way out for that is to have an option to give the app *fake data*, and really recommend this option.

My flashlight wants location data? There you go.

Of course, this would take some work, in building generators for somewhat plausible but totally wrong data. Or perhaps, at the user's control, just slightly wrong data (e.g. my restaurant application might actually benefit from location data, but I might chose to have it fuzzed by some 5km or so).

Re:Fake data

XPrivacy will feed apps bogus data, rather than just restrict permissions (which it also does). There are settings to randomize the data on boot and on request (e.g. every time your position is queried). You can also manually set values so if you want kinda accurate but obfuscated location info you can set your location to your town center (or wherever).

So it can handle most of what you asked for, is mature, and I'd recommend it. But your average mouth-breather, uh, user, is lazy and will be as likely to use it as they will NoScript. Instead, I think in Android 5 or 6 (or at least their CyanogenMod counterpart) a much more basic privacy control is built in which e.g. blocks access to your contacts and a few other things unless explicitly permitted. And it's easier to make exceptions than XPrivacy because less powerful = simpler. So it's good both exist, but what you're asking for is more fit by XPrivacy.

Re:Fake data

[castionsosa]

XPrivacy does exactly this, but AFIAK, it doesn't work well with Android 5 or newer. There are a lot of applications which ask for everything. For example, the Cracked app used to demand access to the GPS, even though all it just did was be a shell for Web content.

Another app that fetches everything is Yik Yak. It goes through the phone to find any individual IDs it can, so it can permanently tie an "anonymous" ID to the phone and the person.

Location data isn't too hard to fake. Enable mock locations... done. However, stuff like slurping contacts, SMS records, advert IDs, and other items, needs something like XPrivacy, DonkeyGuard, or something decent like that.

How is this a security issue?

[tetraverse]

"Android trojan .. disguises itself as Flash Player and spreads via unofficial app stores"

It would be a real story if this Android 'banking trojan silently installed itself without the end user taking action. This kind of non-story belongs over on the Microsoft Register.

poor trojan

from http://www.virusradar.com/en/Android_Spy.Agent.SI/description

  Installation:
The trojan must be downloaded and manually installed.

But...

[OpenSourced]

Does it play Flash or not?

No Flash

[DrYak]

Actually *NOT* playing flash (even more so flash ads) would be a *positive* feature.
Almost redeeming its trojan-ness.

Caveat emptor

[wildstoo]

"spreads via unofficial app stores"

So... if you use the official Play store you're not going to be exposed to this?

What exactly are the benefits of using an "unofficial app store"? Pirated apps? Apps the Play store won't carry? Because all I've seen about the "unofficial" ones is they seem to be a major source of malware.

Re:Caveat emptor

Unofficial app stores definitely seem super-sketchy and should be avoided if you have any sense. The only exceptions I would make are the Amazon app store and F-Droid. F-Droid is like a Debian repo for FOSS Android apps--it's pretty awesome. You can use it as your only app store and not have Google Play (or any Google services) on your phone at all, if that's your thing.

One way to protect yourself is to think what the random app store has to lose by serving malware-ridden apps. Larger, more legitimate stores (Google, Amazon) have both a reputation and liability (they are big targets to be sued). F-Droid is all about transparency and reputation. However some random transient website or app store with no clear contact or legal entity has little to lose so it's foolish to trust them.

Re:Caveat emptor

[macs4all]

What exactly are the benefits of using an "unofficial app store"? Pirated apps? Apps the Play store won't carry? Because all I've seen about the "unofficial" ones is they seem to be a major source of malware.

In all seriousness, and without a hint of Trolling, the main "advantage", AFAICT, is that it makes you feel superior to users of iOS, because only you have true "freedom".

Unfortunately, like in life, with "freedom" comes responsibility; and up until just recently, Android really didn't give users a fighting chance when it came to its Permissions model.

In fact, the very combination of "Sideloading" (or lack of Walled-Garden-ness) and Android's clearly pathetic "all-or-nothing" Permissions Model (who the F* thought THAT up?!?) (and which will still be in existence in the field for the next half-decade), is very much the Perfect Storm of vulnerability.

Again, without any attempt at Trolling, say what you will about iOS, the proof is in the pudding when it comes to malware on the two respective platforms.

Re:Caveat emptor

[macs4all]

The only exceptions I would make are the Amazon app store and F-Droid.

Seriously, I can't see the need for ANY "exceptions" whatsoever.

Think about it: With the pretty much lassez-faire attitude that Google has about "Acceptability" for Apps in the Play Store, why oh why would ANY legit Android Developer NOT want the raw number of potential sales that comes with having your App listed on the "One Stop Shopping, and Approved, 'Safe' " Google Play Store?

So, IMHO, the fact that an App is NOT listed on Google Play should be the #1 Red Flag that something isn't exactly what it seems with an Android App.

Show me how, in any PRACTICAL sense, that I am wrong. I love "freedom" as much as the next person; but sometimes, the risks outweigh the benefits. And as long as we keep keeping private stuff and do private stuff (like banking) on our mobile devices (regardless of platform), any "benefits" must be VERY carefully considered against the possibility of being pwned.

Re:Caveat emptor

[themusicgod1]

> And as long as we keep keeping private stuff and do private stuff (like banking) on our mobile devices (regardless of platform) If you do not have the source code, you cannot verify that your financial transactions is actually between you and your blockchain. Banking, or anything else, that is not done on an entirely free software stack is simply not safe, post 2013. No one should use Google Play for anything. The Snowden documents have shown that the NSA has been able to coopt it to get users to install their malware/implants. With no way of knowing that you're been coopted. The #1 red flag is not that it's not on google play, the #1 red flag is "no source code".

Re:Caveat emptor

[tlhIngan]

What exactly are the benefits of using an "unofficial app store"? Pirated apps? Apps the Play store won't carry? Because all I've seen about the "unofficial" ones is they seem to be a major source of malware.

Other than sticking your tongue out at iOS users, there are a couple of stores that are good.

I have the Amazon app store, which is nice since Amazon loves to give away paid apps for free - through their daily giveaways as well massive monthly giveaways and even their new one where the more you use it, the more you can get out of it (free paid DLC and stuff).

The other one would be Humble Bundle which lets you get paid android apps for cheap which can't be done on iOS, for example.

The other reason is China doesn't have the Play store, and their app stores are less ... vetted, so pirated apps and infected apps are common.

Of course, the sketchier app stores are often used because well, piracy.

I'm still not clear!

[EzInKy]

Why are those that we trust with our finances allowing funds to be transferred without live, in person, face to face interaction? It's not like none of us could go to the local branch verifying our identity right? Money is all about trust after all.

Re:I'm still not clear!

So I take it you don't use internet banking, phone banking, ATMs in any way shape or form? or have an active cheque book?

In conclusion

[Swampash]

Android

Re:In conclusion

The price of free choice is that some people will choose poorly. The price of restricted choice is that sometimes Apple will choose poorly on our behalf.

Re:In conclusion

[macs4all]

The price of free choice is that some people will choose poorly. The price of restricted choice is that sometimes Apple will choose poorly on our behalf.

The problem with "choosing poorly" is that it isn't just "some people"; it is the VAST MAJORITY of people, that have better things to do with their lives than learn the ramifications of clicking "Allow".

Yes, the price of freedom is eternal vigilance; but in this particular case, you can get pwned even if you are extremely vigilant.

virus spreads via unofficial app stores...

This is why I don't use unofficial app stores.

Re:virus spreads via unofficial app stores...

I don't think I would even know how to find an unofficial app store.

Uh...flash player? Really?

[evolutionary]

Yet another reason why Adobe Flash should die a much faster death.

Not two-factor

[DriveDog]

It's not really two-factor if one of them comes from the same machine being used for access.

Re:Not two-factor

[Zero__Kelvin]

No. Just NO . Please stop spreading misinformation. Thanks.

"spreads via unofficial app stores"

google is not perfect and their repository has numerous flaws and malicious apps, but at least there's some sort of submission verification and it is run by a company with a vested interest in keeping the crud out.

but come on folks, if you use a third-party repository, or you go looking for apps to do things that maybe, perhaps, you shouldn't be doing in the first place... spread those cheeks and prepare to be violated. it's really not any different than loading up google in internet explorer, searching for 'free movie downloads' or similar, and blindly clicking on results.

That's funny

[JustAnotherOldGuy]

"The banking malware ... disguises itself as Flash Player..."

That's funny, usually it's the other way around.

Mod Parent Up.

[mjwx]

"Android trojan .. disguises itself as Flash Player and spreads via unofficial app stores"

It would be a real story if this Android 'banking trojan silently installed itself without the end user taking action. This kind of non-story belongs over on the Microsoft Register.

This is the Iphone defence.

Yep, this is exactly the excuse that Iphone users use to dismiss security issues bought on by jail breaking and Cydia.

Getting the user to install malicious software has always been and will always remain the most effective way of spreading it. Doesn't matter what the platform is and in the end, there is only so much you can do to protect stupid people from themselves.