A new threat called ANDROIDOS_FAKEBANK.OPSA that’s part of a two-year-old malware distribution campaign is now spreading on Android devices disguised as a one-time password generator app that people use for banking apps.
The guys behind the campaigned called Operation Emmental are able to steal victims banking credentials then they take over their phones by installing the TeamViewer QuickSupport app.
The group of hackers hid their first malware in January, using another OTP app, then in May there were targeted a few Russian banks and victims were locked out of their phones and their banking accounts were emptied.
The crooks have returned to the January campaign, as they’re hiding their banking credentials-stealing malware in a banking-related app named SmsSecurity. This app is supposed to generate one-time access codes to allow users access their banking accounts.
The hackers are aware that researchers have their eyes on them and they added anti-tampering measures and checks so that the application can’t run in an Android emulator. This malware will trick the user to enable accessibility services in order to secretly grant hackers admin rights. After SmsSecurity Android app gets admin rights, it has the green light to collect login credentials, then to send them to its C&C server.
Researchers at Trend Micro have warned that the app targets customers of banks from Austria, Hungary, Romania, and Switzerland, and the name of the banks are: Aargauische Kantonalbank, Bank Austria, Banque Cantonale de Fribourg, BKB Bank, Credit Suisse, Erste Bank, Glarner Kantonalbank, Luzerner Kantonalbank, Ober Bank, Obwaldner, Kantonalbank, Raiffeisen Bank, Schaffhauser Kantonalbank, Volksbank and Zürcher Kantonalbank.
The malware app will download the TeamViewer QuickSupport app on the infected device, then it starts a session, reads the local ID, then the information is sent to the C&C server. The crooks will connect to victims’ phones and start fooling around.