A new form of smart Android malware can not only steal your online banking information, but update itself in the future and secretly send contact information stored on your device off to the Bad Guys. Security researchers at McAfee have discovered a malicious Android application capable of grabbing banking passwords from a mobile device without infecting the user’s computer.
From a McAfee blog post on the subject, penned by Malware Researcher Carlos Castillo: "To get the fake token, the user must enter the first factor of authentication (used to obtain initial access to the banking account). If this action is not performed, the application shows an error. When the user clicks “Generar” (Generate), the malware shows the fake token (which is in fact a random number) and sends the password to a specific cell phone number along with the device identifiers (IMEI and IMSI). The same information is also sent to one of the control servers along with further data such as the phone number of the device."
The app also includes a number of nasty lines of code that could be used to obtain users' contact lists and then send them off to a control server. "From man-in-the-middle attacks we now see more sophisticated, remote-controlled banking Trojans that can get more than one factor of authentication and update itself to, for example, modify a phishing attack to get other required credentials–such as the name or the ID number of the user–to perform electronic fraud," writes Castillo. "Due to the increasing popularity of Android and mobile-banking applications, we expect that more threats like this will appear."
If Mobile banking does take off, beware, since the Android security architecture won't be able to stop those types of attacks, given the ease with which users can be tricked, via social engineering attacks, into installing third-party applications.