Two new applications that managed to slip into Google Play despite being infected with the BankBot Trojan have been observed targeting the legitimate apps of Polish banks, ESET warns.

The malware hid inside the seemingly legitimate Crypto Monitor, an app for tracking cryptocurrency prices, and StorySaver, a utility that helps users download stories from Instagram. Both applications provide their users with the promised functionality, but also serve a nefarious purpose.

On the victim’s device, the apps can display fake notifications and login forms that have been designed to look as if they come from legitimate banking applications, which allows them to harvest the credentials victims enter into the fake forms.

They can also intercept text messages, thus being able to bypass SMS-based 2-factor authentication.

The BankBot banking Trojan was first observed about a year ago, when its source code leaked online alongside instructions on how to use it. It took over a month for the first malware based on that code to emerge, but numerous BankBot variations have been observed since, some in Google Play.

In a report published in early November, RiskIQ revealed that the malware managed to slip into the official Android application store disguised as Cryptocurrencies Market Prices, an application for users looking for timely information for people who engage in cryptocurrency marketplaces.

Only a couple of weeks after that report, the Crypto Monitor malicious app was uploaded to Google Play, under the developer name walltestudio. Four days later, on November 29, StorySaver was published to the marketplace, under the developer name kirillsamsonov45, ESET says.

The applications had between 1000 and 5000 downloads when ESET reported their malicious behavior to Google on December 4. Both of them have been removed from the application store.

After being launched on the infected device, the malicious apps retrieve information on the installed programs and compare these against a list of targeted banking software.

According to ESET, the malware targets the official apps of fourteen Polish banks, namely Alior Mobile, BZWBK24 mobile, Getin Mobile, IKO, Moje ING mobile, Bank Millennium, mBank PL, BusinessPro, Nest Bank, Bank Pekao, PekaoBiznes24, plusbank24, Mobile Bank, and Citi Handlowy.

The malware can display fake login forms imitating those of the targeted apps and can do so either without any action from the user, or after the user clicks on a fake notification.

ESET claims that most of the infections (96%) were detected in Poland, but that a small set of users in Austria were infected as well (the remaining 4% of detections). The local social engineering campaigns propagating the malicious apps contributed to this.

“The good news is that this particular banking malware doesn’t use any advanced tricks to ensure its persistence on affected devices. Therefore, if you’ve installed any of the above described malicious apps, you can remove them by going to Settings > (General) > Application manager/Apps, searching for either “StorySaver” or “Crypto Monitor” and uninstalling them,” ESET says.

Mobile banking users who installed one of the malicious applications are advised to check their bank account for any suspicious activity. They should also consider changing PIN codes, the researchers say.

Related: Millions Download “ExpensiveWall” Malware via Google Play

Related: Android Malware Found on Google Play Abuses Accessibility Service

Source: infosec island

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!