Crooks are spreading Android malware disguised as a one-time password (OTP) generator app for banking apps that steals the user’s banking credentials and then installs the TeamViewer QuickSupport app to allow attackers to take over the victim’s phone.
Researchers say this threat (ANDROIDOS_FAKEBANK.OPSA) is part of a two-year-old malware distribution campaign called Operation Emmental.
This year, the crooks behind Operation Emmental have been active in January, when they first hid their malware inside another OTP app, and in May, when they used the devious trick of locking the user out of his phone while they emptied his banking account. Thankfully, the May variant only targeted Russian banks and was never spread globally.
Malware wants access to Android’s accessibility services
The latest version of this threat is related to the January 2016 campaign, with the crooks returning to hiding their banking credentials-stealing malware in, ironically, a banking-related app. The app’s name is SmsSecurity, and it’s advertised as an app that can generate one-time access codes for banking accounts.
This time around, crooks knew researchers were on their trail, and hardened the app with anti-tampering measures and checks to prevent researchers from running the app in an Android emulator.
Unlike most Android malware families that focus on pestering the users with non-stop popups until they get administrator rights, this malware wants the user to enable accessibility services.
The reason is that the malware can use Android’s accessibility features to secretly grant itself admin rights at a later point. Back in May 2016, Symantec researchers were warning about an upcoming trend of Android malware apps that might abuse this feature.
Targets only European users
Once the malicious SmsSecurity Android app gets admin rights, it has the necessary powers to collect login credentials, which it sends to its C&C server.
Trend Micro researchers say the app targets customers of banks in Austria, Hungary, Romania, and Switzerland. The names of the targeted banks are:
- Aargauische Kantonalbank
- Bank Austria
- Banque Cantonale de Fribourg
- BKB Bank
- Credit Suisse
- Erste Bank
- Glarner Kantonalbank
- Luzerner Kantonalbank
- Ober Bank
- Obwaldner Kantonalbank
- Raiffeisen Bank
- Schaffhauser Kantonalbank
- Zürcher Kantonalbank
One new trick the app seems to have added is the ability to download the TeamViewer QuickSupport app on the victims’ phones.
Taking advantage of the administrator rights it acquired and access to the accessibility service, the malware starts a TeamViewer session, reads the local ID, and passes it on to the C&C server, in order for attackers to connect to victims’ phones.
This is just one of the latest tricks the crooks of Operation Emmental have added to their malware’s arsenal, and their track record shows they’ll likely find new and ingenious ways of infecting users’ phones.