This dangerous Android spyware could affect millions of devices

This dangerous Android spyware could affect millions of devices

An updated version of Banker spyware for Android has been detected (opens in a new tab), which steals a victim's bank details and possibly even money in some cases.

According to Microsoft cybersecurity researchers (opens in a new tab), an unknown malicious actor has launched a smishing campaign (SMS phishing), through which they try to trick people into downloading TrojanSpy:AndroidOS/Banker .EITHER. It is a variant of malware (opens in a new tab) capable of extracting all kinds of sensitive information, including two-factor authentication (2FA) codes, account login credentials and passwords, as well as other personally identifiable information (PII).

What makes this attack particularly worrying is the secrecy of the entire operation.

Granting of major permits

After the user downloads the malware, they need to grant some permissions, such as MainActivity, AutoStartService, and RestartBroadCastReceiverAndroid.

This allows you to intercept calls, access call logs, messages, contacts and even network information. By being able to do these things, the malware can also receive and read incoming two-factor authentication codes via SMS and delete them to ensure the victim doesn't suspect anything suspicious.

To make matters worse, the app can command silent mode, which means that incoming 2FA codes via SMS can be received, read and deleted, in complete silence: no notification sound, no vibration, no screen light, any.

The threat actors behind the campaign are unknown, but what Microsoft does know is that the app, first seen in 2021 and significantly improved since then, can be accessed remotely.

El alcance del attack también se déconoce, it is difficult to determine exactly how many people are affected. Last year, Banker was observed attacking Indian consumers only, and given that the phishing SMS bears the logo of Indian bank ICICI, it is safe to assume that Indian users are also in the crosshairs. are you.

"Some of the malicious APKs also use the same Indian bank logo as the fake app we investigated, which could indicate that the actors are constantly generating new versions to continue the campaign," the researchers said.

Via: The Registry (Opens in a new tab)