Android Banking Trojan Masquerades As Flash Player, Circumvents 2FA

← Back to Stories (view on slashdot.org)

Android Banking Trojan Masquerades As Flash Player, Circumvents 2FA

Posted by msmash on Thursday March 10, 2016 @08:41PM from the watch-what-you-download dept.

A newly found Android trojan is targeting customers of large banks in Australia, New Zealand and Turkey. The banking malware, flagged as Android/Spy.Agent.SI by ESET security firm, disguises itself as Flash Player and spreads via unofficial app stores. It can steal login credentials of users from 20 mobile banking apps, and can also mimic login screens of popular services such as PayPal, eBay, Skype, WhatsApp and several Google services. The Android trojan is able to intercept SMS communications, which in turn, allows it to circumvent the two-factor authentication.

33 of 51 comments (clear)

Min score:

Reason:

Sort:

Intercept SMS? by cerberusss · 2016-03-10 21:05 · Score: 1

How can an app actually intercept SMS? Is this common on the Android platform, that apps can intercept that kind of deep system stuff?

--
8 of 13 people found this answer helpful. Did you?
1. Re:Intercept SMS? by righteousness · 2016-03-10 21:11 · Score: 1
  
  Any apps with the right permissions can read and edit SMS.
  
  --
  Don't fornicate. Seriously, just don't do it.
2. Re:Intercept SMS? by Firethorn · 2016-03-10 21:36 · Score: 1
  
  And, since you can't actually deny permissions in Android(without more work), and it seems that 'all apps' love having access to way more than they should, it's hard to find 'good' applications that might not be a trojan.
  
  --
  I don't read AC A human right
3. Re:Intercept SMS? by Chrisq · 2016-03-10 21:39 · Score: 3, Insightful
  
  This is one of my pet hates about android (and I'm generally a fan). A lot of apps ask for that permission but just for registration. Up until the latest version (and still on one of my phones) you had to accept this permission to register but then had no way to revoke it afterwards, so you had to hope for the lifetime of the app that it wasn't compromised and wouldn't start messaging premium-rate SMS services or forwarding your message.
4. Re:Intercept SMS? by Anonymous Coward · 2016-03-10 23:45 · Score: 1
  
  You should try Android 6, where apps need to ask permission before they first use the feature (like on iOS). Earlier versions of Android were all or nothing, but recent versions have fine-grained control.
5. Re:Intercept SMS? by castionsosa · 2016-03-11 00:55 · Score: 2
  
  That is only if the app developer allows that in the manifest. Otherwise, the app falls back to the all or nothing permission model.
  The best solution is XPrivacy/XPosed, but IIRC, that hasn't worked since Android 5 came out. Second best solution is either CyanogenMod, or if you can read Chinese and choose to trust the app, LBE Privacy Master.
6. Re:Intercept SMS? by Anonymous Coward · 2016-03-11 01:22 · Score: 1
  
  I was just looking at that on my new device running android 6 and that doesn't appear true. Either every application I have installed allows me to enable and disable permissions, or the OS just allows it. In fact, when I go to disable a permission it gives a warning saying "This app was designed for an older version of Android. Denying permission may cause it to no longer function as intended."
  Clearly I can disallow permissions, it just might break the app and is in no way enforced by the manifest as you have stated.
7. Re:Intercept SMS? by macs4all · 2016-03-11 04:06 · Score: 1
  
  That is only if the app developer allows that in the manifest. Otherwise, the app falls back to the all or nothing permission model.
  And, more importantly, only if your phone has Android 6 available, which the vast majority in actual use likely don't.
  
  And don't go on and on about installing custom "ROMs", Cyanogen, etc. Only about 1% of Android users outside of Slashdot would even know how to do that, let alone figure out where to get a TRUSTWORTH custom "ROM", etc.
  
  So yeah, good that Android is FINALLY getting something akin to iOS' Security Model; but in reality, it will be half-a-decade before all Android phones are running Android 6 or above.
Re:So, safer than the Adobe Flash by Chrisq · 2016-03-10 21:51 · Score: 1

Where can I get this?
My thought exactly.... they had a lucky escape and only installed a banking trojan!
More Complete Pwnage by mentil · 2016-03-10 21:58 · Score: 1

Devices have been 'pwned' before but it seems to be escalating, as malware used to just do 1 or 2 related malicious things (ad redirects/BHOs/ad banner replacements etc.).
I'm waiting for ransomware to hit mobile. "Oh you want to make phone calls? $20 to unlock that functionality. Browse the web? $20. Use apps? $20. Once you talk to your bank for 3 hours and get your money back, send the bitcoins to this address." It'll be cleverly priced at less than the cost of a replacement phone (maybe first determining the phone model) or the price of having it serviced by the manufacturer, or insurance deductible.
Other mobile ransomware might present itself as a message from your carrier: "Hey you're overdue. We're shutting off stuff until you pay up; click here to set up payment." and sure enough their data/voice/SMS are cut off aside from the 'convenient payment app'. It will probably be timed to activate at the beginning/end of the month, like when a bill would be due. They don't have to receive the money directly, the malware can fill up some 'legit' account (Xbox FIFA cards or whatever) in the background using the payment info, which the ransomers then access and drain.
I have a feeling Google tacitly allows Android's design to be pwnable, so that the Play store vetting is the only thing stopping your device from getting malware; discouraging use of 3rd party stores/piracy increases sales on their store (and thus them getting a cut) an amount probably greater than zero. The question is, is the bad publicity of malware bad enough to drive enough people to Apple that they lose more Play store sales than they gain?

--
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
1. Re:More Complete Pwnage by Arnold+Reinhold · 2016-03-10 22:16 · Score: 2
  
  Scroll down two stories to read the usual Slashdot sneering about Apple products.
2. Re:More Complete Pwnage by macs4all · 2016-03-11 04:13 · Score: 1
  
  I have a feeling Google tacitly allows Android's design to be pwnable, so that the Play store vetting is the only thing stopping your device from getting malware
  If only that were true. But unfortunately, you have only a slightly better chance of actually getting a "clean", well-behaved App from the Play Store than you do from some random .ru site.
How is this a security issue? by tetraverse · 2016-03-10 22:20 · Score: 1

"Android trojan .. disguises itself as Flash Player and spreads via unofficial app stores"

It would be a real story if this Android 'banking trojan silently installed itself without the end user taking action. This kind of non-story belongs over on the Microsoft Register.
But... by OpenSourced · 2016-03-10 22:43 · Score: 1

Does it play Flash or not?

--
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
No Flash by DrYak · 2016-03-10 22:51 · Score: 3, Funny

Actually *NOT* playing flash (even more so flash ads) would be a *positive* feature.
Almost redeeming its trojan-ness.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Caveat emptor by wildstoo · 2016-03-10 23:39 · Score: 1

"spreads via unofficial app stores"
So... if you use the official Play store you're not going to be exposed to this?
What exactly are the benefits of using an "unofficial app store"? Pirated apps? Apps the Play store won't carry? Because all I've seen about the "unofficial" ones is they seem to be a major source of malware.
1. Re:Caveat emptor by macs4all · 2016-03-11 04:21 · Score: 1
  
  What exactly are the benefits of using an "unofficial app store"? Pirated apps? Apps the Play store won't carry? Because all I've seen about the "unofficial" ones is they seem to be a major source of malware.
  In all seriousness, and without a hint of Trolling, the main "advantage", AFAICT, is that it makes you feel superior to users of iOS, because only you have true "freedom".
  
  Unfortunately, like in life, with "freedom" comes responsibility; and up until just recently, Android really didn't give users a fighting chance when it came to its Permissions model.
  
  In fact, the very combination of "Sideloading" (or lack of Walled-Garden-ness) and Android's clearly pathetic "all-or-nothing" Permissions Model (who the F* thought THAT up?!?) (and which will still be in existence in the field for the next half-decade), is very much the Perfect Storm of vulnerability.
  
  Again, without any attempt at Trolling, say what you will about iOS, the proof is in the pudding when it comes to malware on the two respective platforms.
2. Re:Caveat emptor by macs4all · 2016-03-11 04:30 · Score: 1
  
  The only exceptions I would make are the Amazon app store and F-Droid.
  
  Seriously, I can't see the need for ANY "exceptions" whatsoever.
  
  Think about it: With the pretty much lassez-faire attitude that Google has about "Acceptability" for Apps in the Play Store, why oh why would ANY legit Android Developer NOT want the raw number of potential sales that comes with having your App listed on the "One Stop Shopping, and Approved, 'Safe' " Google Play Store?
  
  So, IMHO, the fact that an App is NOT listed on Google Play should be the #1 Red Flag that something isn't exactly what it seems with an Android App.
  
  Show me how, in any PRACTICAL sense, that I am wrong. I love "freedom" as much as the next person; but sometimes, the risks outweigh the benefits. And as long as we keep keeping private stuff and do private stuff (like banking) on our mobile devices (regardless of platform), any "benefits" must be VERY carefully considered against the possibility of being pwned.
3. Re:Caveat emptor by themusicgod1 · 2016-03-11 07:15 · Score: 1
  
  > And as long as we keep keeping private stuff and do private stuff (like banking) on our mobile devices (regardless of platform) If you do not have the source code, you cannot verify that your financial transactions is actually between you and your blockchain. Banking, or anything else, that is not done on an entirely free software stack is simply not safe, post 2013. No one should use Google Play for anything. The Snowden documents have shown that the NSA has been able to coopt it to get users to install their malware/implants. With no way of knowing that you're been coopted. The #1 red flag is not that it's not on google play, the #1 red flag is "no source code".
  
  --
  GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
4. Re:Caveat emptor by tlhIngan · 2016-03-11 08:53 · Score: 1
  
  What exactly are the benefits of using an "unofficial app store"? Pirated apps? Apps the Play store won't carry? Because all I've seen about the "unofficial" ones is they seem to be a major source of malware.
  Other than sticking your tongue out at iOS users, there are a couple of stores that are good.
  I have the Amazon app store, which is nice since Amazon loves to give away paid apps for free - through their daily giveaways as well massive monthly giveaways and even their new one where the more you use it, the more you can get out of it (free paid DLC and stuff).
  The other one would be Humble Bundle which lets you get paid android apps for cheap which can't be done on iOS, for example.
  The other reason is China doesn't have the Play store, and their app stores are less ... vetted, so pirated apps and infected apps are common.
  Of course, the sketchier app stores are often used because well, piracy.
I'm still not clear! by EzInKy · 2016-03-11 00:14 · Score: 1

Why are those that we trust with our finances allowing funds to be transferred without live, in person, face to face interaction? It's not like none of us could go to the local branch verifying our identity right? Money is all about trust after all.

--
Time is what keeps everything from happening all at once.
In conclusion by Swampash · 2016-03-11 00:33 · Score: 1, Informative

Android
1. Re:In conclusion by macs4all · 2016-03-11 04:32 · Score: 1
  
  The price of free choice is that some people will choose poorly. The price of restricted choice is that sometimes Apple will choose poorly on our behalf.
  The problem with "choosing poorly" is that it isn't just "some people"; it is the VAST MAJORITY of people, that have better things to do with their lives than learn the ramifications of clicking "Allow".
  
  Yes, the price of freedom is eternal vigilance; but in this particular case, you can get pwned even if you are extremely vigilant.
Re:Fake data by castionsosa · 2016-03-11 01:00 · Score: 1

XPrivacy does exactly this, but AFIAK, it doesn't work well with Android 5 or newer. There are a lot of applications which ask for everything. For example, the Cracked app used to demand access to the GPS, even though all it just did was be a shell for Web content.
Another app that fetches everything is Yik Yak. It goes through the phone to find any individual IDs it can, so it can permanently tie an "anonymous" ID to the phone and the person.
Location data isn't too hard to fake. Enable mock locations... done. However, stuff like slurping contacts, SMS records, advert IDs, and other items, needs something like XPrivacy, DonkeyGuard, or something decent like that.
Uh...flash player? Really? by evolutionary · 2016-03-11 02:25 · Score: 1

Yet another reason why Adobe Flash should die a much faster death.

--
"Imagination is more important than knowledge" - Einstein
Not two-factor by DriveDog · 2016-03-11 04:20 · Score: 1

It's not really two-factor if one of them comes from the same machine being used for access.
1. Re:Not two-factor by Zero__Kelvin · 2016-03-11 13:25 · Score: 1
  
  No. Just NO . Please stop spreading misinformation. Thanks.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
That's funny by JustAnotherOldGuy · 2016-03-11 05:14 · Score: 2

"The banking malware ... disguises itself as Flash Player..."
That's funny, usually it's the other way around.

--
Just cruising through this digital world at 33 1/3 rpm...
Mod Parent Up. by mjwx · 2016-03-11 08:01 · Score: 1

"Android trojan .. disguises itself as Flash Player and spreads via unofficial app stores"

It would be a real story if this Android 'banking trojan silently installed itself without the end user taking action. This kind of non-story belongs over on the Microsoft Register.
This is the Iphone defence.

Yep, this is exactly the excuse that Iphone users use to dismiss security issues bought on by jail breaking and Cydia.

Getting the user to install malicious software has always been and will always remain the most effective way of spreading it. Doesn't matter what the platform is and in the end, there is only so much you can do to protect stupid people from themselves.

--
Calling someone a "hater" only means you can not rationally rebut their argument.
Re:That's not 2FA by Zero__Kelvin · 2016-03-11 13:16 · Score: 1

Ladies and gentleman ... The above is a classic example of someone who either has no idea what they are talking about, or someone who is intentionally spreading misinformation. Rest assured that "SMS + Password" is indeed 2 factor authentication, regardless of which system is used to enter the password / secret.

The AC seems to think that physical possession of the smartphone somehow magically conveys the other factor (the password.) Clearly it doesn't.* The first factor is the possession of the phone (something you posses). The second is the entering of a secret (something you know). Since possession of the phone doesn't automagically help an attacker know the secret, the fact that I happen to use my phone to enter the secret rather than a different computer system is entirely immaterial.

* This clearly assumes that the smartphone owner doesn't choose to "Save Password" for the respective content / service provider(s).

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Re:That's not 2FA by Zero__Kelvin · 2016-03-11 13:18 · Score: 1

"2FA is always defined as "something you know" + "something you have"."
FTFY

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Re:That's not 2FA by Zero__Kelvin · 2016-03-11 13:21 · Score: 1

That isn't true. See also. . No need to reply ... Apology accepted.

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Re:That's not 2FA by Zero__Kelvin · 2016-03-14 12:02 · Score: 1

You are an idiot who doesn't have any idea what he is talking about. That would be bad enough on its own, but I just got done explaining to you why you are a clueless idiot. The fact that you can't figure it out even after it has been explained to you is pathetic. Let me try to explain it to you again. Dear moron: The phone is something you have. The password is something you know. When taken as an aggregate that's two factor auth. Period. Your belief that it matters haw the second factor was communicated is a direct indication of your complete lack of understanding of computer security. Off you go now rank amateur.

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun