Quick Heal Security Labs has detected an Android banking trojan; Android.banker.A9480 which is said to be targeting more than 232 banking apps which also includes the apps offered by Indian banks. Like other banking trojans, even the Android.banker.A9480 is designed with the aim to steal login credentials, hijacking SMSs, etc.
The trojan is being distributed through a fake Flash Player app on the third-party store, and it is not very surprising considering Adobe’s flash player is one of the most widely spread products on the Internet. Once the malicious app is installed the phone, it requests for Administrative rights and if even if a user rejects or terminates the process, it keeps throwing pop-ups until the user activates the admin privilege.
The app then goes into hiding once the user taps on it.Once the icon is hidden, it looks for all the installed apps especially from the 232 apps that include banking and some cryptocurrency apps. If the trojan finds any one of the apps from the list of 232 apps, it throws fake notifications duping targeted banking app. if a user clicks on the notification, they are shown a fake login screen to steal the user’s confidential login details.
The malware was capable of receiving and processing login credentials, hijacking SMSs, uploading contact lists and SMS on a malicious server, displaying an overlay screen. It can also intercept all incoming and outgoing SMS from the infected device which enables attackers to bypass SMS-based two-factor authentication. In order to silence SMS notifications, the malware can also set the device’s ringer volume to silent.
Targeted banking apps in India include Axis, HDFC, SBI Anywhere Personal, ICICI, IDBI, Bank of Baroda, Union Bank Mobile Banking and their respective apps. To avoid getting infected with this malware, avoid downloading apps from third-party app stores or links provided in SMS or emails, Always keep ‘Unknown Sources’ disabled, install a reliable mobile security app.