Android users who utilise their phone to access the big 4 (National Australia Bank, Commonwealth, Westpac and ANZ) banks could be at risk from one of the more sophisticated Malware instances to be discovered to date.
The program sits in the background and does absolutely nothing; until you launch your mobile banking application at which time it creates a dynamic overlay to capture your username and password (quite common for malware), but heres where it gets scary – if you’re using two factor authentication via SMS its also capable of intercepting this and forwarding the information to hackers who can be anywhere in the world and then access your online banking.
In fact, once it has been installed the app actually has access to download files from a remote computer and/or the Internet, read incoming SMS messages, send SMS messages, delete SMS and send the information it has gathered.
But its not just online banking that could be at risk, PayPal, Skype, WhatsApp and ebay alongside a few Google services are known to be targets of this specific Malware. Regardless of what banking/payment application you’re using once they have captured your data, the Malware app will shut down and your mobile banking app will be fully functional as you would expect it to. The non-intrusive nature of this application is one of its strengths and allows it to go largely undetected by the average user.
Any good news?
Definitely and the good news is that you need to be deliberately circumventing the built in Android protection to be vulnerable and have installed a specific, malicious app to be vulnerable. So do you install apps from “unknown sources”? If the answer to this is no, or if you don’t know what this refers to, you’re safe. If you do and you installed a flash player off the web somewhere, you probably have cause for concern and should check your phone carefully to ensure that you’re not at risk.
Checks and removal
To check if you’re potentially at risk to this head to Settings > Security > Device Administrators and check if “flash player” is in the menu there. If it is, you’ve got a problem but removal will be pretty simple, to start with you need to remove the Flash Player from the administrators menu. The app giving itself Administrator access to your device is essentially a self protection mechanism that will prevent many users from being able to uninstall the app as it locks the app from being uninstalled.
NB. When you remove Flash Player from the device administrators list you will get a popup stating that data will be lost, this is not true and is another way that the malicious programmers have built in to fool the uneducated into keeping the software on their device.
According to ESET, there is potential that the app may receive an command to prevent Administrator rights from being disabled for the application. If you do have issues removing the administrator rights for Flash Player on your device, the way around this is to boot the phone or tablet into safe mode and follow the steps listed above.
Once you have removed the flash player administrator rights to your device, you can then uninstall the Flash Player app via Settings > Apps/Application manager > Flash Player > Uninstall. Restart your device and you’re all set. The danger of this particular piece of Malware is not that its difficult to remove, but rather that it is difficult to detect.
A bit more info
If you’re keen to learn more about this, ESET Security Systems have done an in depth analysis about the app, the installers and the server side tech that has helped this threat go undetected until a couple of days ago. But the upshot is that this is a very complex and quite sophisticated system starting with the server side setup where the download URL paths to the malicious APK files is regenerated hourly which would help prevent the URL from being detected and blocked by Antivirus software.
After all of that, its likely that there is only a very small percentage of users who would actually be vulnerable to a malware attack like this and they’re either blissfully ignorant to the dangers they face by installing apps from the web rather than the Play Store, or know what they’re doing and should probably know better.
The upshot of all of this is that its another case of malicious attacks relying on people deliberately stepping around the security settings in Android, so the upshot would be don’t panic. The reality is that if you stick to downloading apps from the Play Store and are cautious with what you install from there, the types of attacks that are occurring on the Android Platform now it is maturing are unlikely to effect you.