Malware News: Android Protection to Bank On

Malware News: Android Protection to Bank On

Last week, banks in Australia, New Zealand, and Turkey saw the distribution of malware that steals credentials from users of their apps on Android phones and tablets, as well as intercepting the two-factor authentication codes users can receive via text message for increased security. Delivered in the guise of an Adobe Flash Player updater, the malware presents a fake login screen in advance of the real one on the banking apps, tricking users into giving up their credentials. The malware, known by some virus indexers as Android/Spy.Agent.SI, spoofs and intercepts logins for Australia’s Big Four banks, as well as dozens of other financial institutions in Australia, New Zealand, Turkey, and elsewhere – Wells Fargo is one known target elsewhere. And, for good measure, it intercepts login attempts on PayPal, eBay, WhatsApp, Skype, and several Google services.

You can find more coverage here and here.

We downloaded samples from VirusTotal and ran them through Lastline Enterprise. The product’s Deep Content Inspection™ approach can detect malicious behaviors and bypass evasions not only in analysis of Windows malware, but in OS X and Android as well.

(Once again, thanks to Dan Mathews, Director of Sales Engineering, for his efforts.)

Here are the results of Lastline’s automated analysis of one of the samples.

android-banking-1.png

Analysis Overview:

android-banking-2.png

Note that our automated analysis was able to detect many potentially malicious behaviors – transmission of equipment and subscriber identifiers, a single application sending data both via SMS and over the Internet, sending data from a normally-secure content type on the device, prompting for device administration abilities – that individually are not conclusive but, in combination with other information about the sample, makes it possible for Lastline to characterize the artifact as malicious.