Android malware disguises itself as Flash Player, targets banking apps

Twelve Indian banks’ customers are at risk as security researchers have spotted a malicious Android malware that steals banking information from users’ phones. A blog by Quick Heal Security Labs has brought to notice the existence of this malware named ‘Android.banker.A9480’ that targets over 232 banking, cryptocurrency and e-commerce apps.

The malware has the ability to steal login credentials, hijack SMSs, access contact lists and upload them to a server. It is also able to display an overlay on top of your existing apps and capture user inputs from that.

Targeted banking apps in India include:

• axis.mobile (Axis Mobile)
• snapwork.hdfc (HDFC Bank MobileBanking)
• sbi.SBIFreedomPlus (SBI Anywhere Personal)
• hdfcquickbank (HDFC Bank MobileBanking LITE)
• csam.icici.bank.imobile (iMobile by ICICI Bank)
• snapwork.IDBI (IDBI Bank GO Mobile+)
• idbibank.abhay_card (Abhay by IDBI Bank Ltd)
• com.idbi (IDBI Bank GO Mobile)
• idbi.mpassbook (IDBI Bank mPassbook)
• co.bankofbaroda.mpassbook (Baroda mPassbook)
• unionbank.ecommerce.mobile.android (Union Bank Mobile Banking)
• unionbank.ecommerce.mobile.commercial.legacy (Union Bank Commercial Clients )

The malware also targets a multitude of apps from international banks, cryptocurrency wallets, Amazon Shopping app, eBay and AirBnB among others.

 It’s all Flash’s fault… kind of

The infection is designed and distributed as a Trojan. Like the wooden horse from Greek mythology, the malware is disguised as a legitimate app. Android.banker.A9480 is distributed through third-party app stores disguised a Flash Player app. The legitimate Flash Player, despite its own questionable history with internet security, is widely used by millions to access various web applications.

Once an unassuming user installs the malicious app, it will ask the users to activate administrative rights. If the user tries to deny the request the app will keep throwing continuous pop-ups until admin rights are given.

After the initial setup, the app runs in the background and looks for 232 particular apps (mostly banking and some cryptocurrency apps).

If anyone of the targeted apps is found on the infected device, the malware will throw up a fake notification screen that leads the user to a login screen, both designed to mimic the original app. From here the app can easily steal the user’s banking ID and passwords.

How to stay safe

• A great rule of thumb with technology is if you don’t know what the hell you are doing, don’t do it.
• That includes enabling developer options and installation from ‘Unknown Sources’.
• Avoid using third-party app stores and installing unknown APK files on your phone.
• As an extra precaution, go through the list of permissions every app requests from you during installation. If there’s something there that’s it shouldn’t need, like access to contacts lists and ability to read messages be on guard.