Android malware steals banking credentials

By Nadine Arendse
Johannesburg, 26 Mar 2012

Android malware steals banking credentials

Security researchers at McAfee have discovered a malicious Android application capable of grabbing banking passwords from a mobile device without infecting the user's computer, ZDNet reports.

The latest piece of Android malware, dubbed FakeToken, contains man-in-the-middle functionality to hijack two-factor authentication tokens and can be remotely controlled to grab the initial banking password directly from the infected mobile device.

As explained by McAfee researcher Carlos Castillo in a blog post, the application targets major financial institutions by posing as a Token Generator app, Android Authority writes.

When the application is installed, the malware even goes so far as to mimic the targeted bank's logo and colour scheme, adding a certain credibility to the scheme, and making it hard for users to distinguish between the legitimate and malicious applications.

The original file that contains the malware also includes a list of the control servers that the malware can connect to, as well as a mobile number that the data from the compromised phone can be sent to via SMS, Threat Post notes.

The malware also creates a service that listens for commands from the control server. The commands can include installing a new list of control servers or requesting that the malware gather and send all of the contacts from the compromised phone.

Much of the malware that plagues desktop PCs these days is designed to perform some kind of financial fraud, phishing or other theft. Researchers have said they expected this to creep into the mobile platforms as well, but the evolution has been somewhat stunted so far. That may now be changing.