Android malware coders have come up with a clever trick to mask fraudulent bank transactions, operating by changing the user’s smartphone PIN, then locking the device, and by doing so keeping him busy while they empty his bank account.
The first version of this malware appeared in December 2015, but went mostly unreported, targeting a small number of users. Since then, this Android malware, known as the Fanta SDK, has evolved in capabilities but has kept its mode of operation the same.
Malicious banking apps spread via fake bank notification emails
, the security firm that discovered this threat, says that crooks are using spam emails to distribute their malware-laced applications.
A user first receives an email with his bank’s email address spoofed, and he’s told that a new security update for his banking application was recently released and that he should update his app. Right now, the app only targets the users of Russian banks.
If the user has one of those apps installed on his phone, he’ll likely follow the download link included in the email and download the app on his phone. Recommended is that users update the mobile banking app through the Google Play Store, and not via manual downloads.
Malicious app needs admin privileges to show phishing screens
After the user downloads and installs the app, he’ll be prompted to grant it administrative privileges. Trend Micro experts explain why users should not give any suspicious app admin privileges.
“ Keep in mind that most legitimate apps do not request admin privileges. This is a common red flag users should catch early when dealing with mobile malware. ”
After the app gets admin privileges, it will wait for the user launch the mobile banking app of a targeted bank. At this point, the app will show a popup through which it phishes the user’s banking credentials, and then redirect him to the legitimate app.
The malicious app then sends these credentials to the crooks’ server who will use them to make fraudulent transactions.
Malware will also change your PIN when you try to uninstall it
If the user decides he doesn’t need a mobile banking app, or sees something suspicious and attempts to uninstall the malicious app, the Fanta SDK comes with a self-protection method that automatically sets a random smartphone PIN and then locks the device.
At this stage, seeing that its presence was detected, the malware just starts emptying your bank account. By the time the user finds a way to unlock his phone, usually via a reflash, hours, if not days or weeks have passed.
The malware has the opportunity to make a clean get-away with all the victim’s money if the infected host has multiple bank accounts and doesn’t notice the fraudulent transactions in time to file a complaint with his bank.
Fanta SDK tied to wide-reaching banking malware operations
Researchers have connected this app’s master servers with the infrastructure of other malware operations that deliver the Cridex, Ramnit, andbanking trojans.
Trend Micro says the app has a similar mode of operation as the crooks from, who stole money from bank accounts in Switzerland, Sweden, and Austria, using a novel technique at that time. The group was believed to be of Russian origin.
Below is the Fanta SDK trying to pose as the Sberbank mobile banking application. The real loading screen is on the left, while the fake is on the right.