“I
recently encountered a botnet targeting Android smartphone users who bank at
financial institutions in the Middle East. The crude yet remarkably effective
mobile bot that powers this whole operation comes disguised as one of several
online banking apps, has infected more than 2,700 phones, and has intercepted
at least 28,000 text messages.” – Krebs
The
botnet comes bundled with Android apps made to look like mobile two-factor
authentication modules for various banks, including Riyad Bank, SAAB (formerly the Saudi British Bank), AlAhliOnline (National Commercial Bank), Al Rajhi Bank, and Arab National Bank.
PICTURE: A fake android bank apps employed by the sandroid botnet
It’s not clear
how the apps are initially presented to victims, but if previous such scams are
any indication they are likely offered after infecting the victim’s computer
with a password-stealing banking Trojan. Many banks send customers text
messages containing one-time codes that are used to supplement a username and
password when the customer logs on to the bank’s Web site. And that precaution
of course requires attackers interested in compromising those accounts to also
hack the would-be victim’s phone.
PICTURE: Some text message intercepted by the sandroid botnet malware.
This particular botnet appears to have been active for
at least the past year, and the mobile malware associated with it has been
documented by both Symantec and Trend Micro. The malware itself seems to be heavily
detected by most of the antivirus products on the market, but then again it’s
likely that few — if any — of these users are running antivirus applications on
their mobile devices.
In addition, this fake bank campaign appears to have
previously targeted Facebook, as well as banks in Australia and Spain,
including Caixa Bank, Commonwealth Bank, National Australia Bank, and St. George Bank.
People often asked if people should be using
mobile antivirus products. From my perspective, most of these malicious apps
don’t just install themselves; they require the user to participate in the
fraud. Keeping your mobile device free of malware involves following some of
the same steps outlined in my Tools
for a Safer PC and 3 Rules primers:
Chiefly, if you didn’t go looking for it, don’t install it! If you own an
Android device and wish to install an application, do your homework before
installing the program. That means spending a few moments to research the app
in question, and not installing apps that are of dubious provenance.
That said, this malware appears to be well-detected by mobile
antivirus solutions. Many antivirus firms offer free mobile versions of their
products. Some are free, and others are free for the initial use — they will
scan and remove malware for free but charge for yearly subscriptions. Some of
the free offerings include AVG, Avast, Avira, Bitdefender and others.
Incidentally, the mobile phone number used to intercept all
of the text messages is +79154369077, which traces back to a subscriber in
Moscow on the Mobile Telesystemsnetwork.
I
call upon android user in Tanzanians and mostly to those who uses their phone to
perform transaction to be aware of this new cyber challenge as it looks like
growing extremely fast. I have said it in most of my interview with medias in
Dar-es-salaam regarding security challenges we have on mobile phone and I would
like to repeat on this matter as we all need to generate habit of making use of
antiviruses on our phones.
UPDATES: "Today, criminals are assisted in the commission of their crimes by the mobile devices and applications they use. Application evidence is critical in any and all investigations. By allowing the user to pull this important and volatile data from any SQL database, AccessData’s MPE+ has given the upper hand to the law enforcement investigator. Using MPE+ SQL Builder, the relevant evidence can be extracted and a criminal’s intentions exposed. Staying ahead of the app, MPE+ is changing the way mobile forensics is done by introducing an entirely different approach to mobile device forensics." - Lee Reiber
ReplyDelete