SpyLocker is the name given by Intel Security (McAfee) researchers to a new variant of Android malware that shows credential phishing popups for customers of EU banks and for some popular Android applications.
The trojan was actually spotted in a previous campaign a while back, during which it disguised itsef as a Flash Player app for Android users, distributed via websites with adult material. The initial campaign targeted the customers of banks in Australia, New Zealand, and Turkey.
Intel Security researchers areon a new wave of attacks, that distribute the same fake Flash for Android app, or sometimes a fake Android system update app, in order to infect users. The difference this time is that besides their own servers, crooks are also utilizing hacked WordPress and Joomla sites as well.
Banking trojan is somewhat similar to a two-year-old ransomware variant
According to the security firm’s experts, the newly discovered banking trojan is somewhat similar to an Android ransomware variant that was active in 2014, called Police Locker. The similarities are few, but they are there nonetheless.
Intel Security says this new SpyLocker campaign only targets the customers of banks in France, Poland, and the UK. Additionally, the company also said it discovered the necessary modules to target Russian banks, but the crooks did not appear to be interested in doing so.
Besides showing classic popups with bank login forms for various mobile banking apps created by various financial institutions, SpyLocker also targets some popular apps and services such as Google accounts, eBay or Instagram.
SpyLocker now targets only European bank customers
Once the trojan collects the desired data, it sends it to a C&C server, along with other details about the infected device. Further, SpyLocker can also intercept incoming SMS messages, access the call history, check a list of installed apps, and more. Practically all the same things that other modern Android banking trojans can do, of which SpyLocker seems to be a carbon copy of.
SpyLocker’s malicious functionality is powered by its ability to attain administrator privileges. If users avoid granting such rights to apps they’ve downloaded from a suspicious website, then most users should be safe.
Another recently discovered and interesting Android malware variant is, which blended ransomware and banking trojan features, detected by Dr.Web last week, and targeting only Russian users.