Banking Trojan spreads via fake Google Play Store page

Security experts have discovered a new banking trojan spreading through a fake Google Play Store page. Strangers pretend to be showing an app from a well-known bank. However, so far only infections have been known outside Europe.

But it doesn’t have to stay that way for long, because the cyber gangster hoax works so well that experts fear it will find imitators all over the world (via sleeping computer). All kinds of tricks are used to address this vulnerability. It goes from stealing an actual app to simulating a Play Store page to downloading an app that later reloads a dangerous Trojan.
Infographic: 23.4 million victims of German cybercrime

First discovered in Brazil

The Android banking trojan is currently targeting Itaú Unibanco, a major financial services company in Brazil with 55 million customers worldwide. The scammers set up a page for the app, which looks very similar to the official Android Google Play app store, to trick visitors into believing they are installing the app from a trustworthy service. The malware pretends to be the official banking app from Itaú Unibanco and displays the same legitimate app icon.

When the user clicks on the “Install” button, he is offered to download the APK, which is the first sign of the scam. Google Play Store apps are installed through the store interface without requiring the user to download and install software manually.

Hijack the actual application

Then the interesting second step. Once the fake app is installed via APK, it tries to open the real Itaú banking app from Play Store. If that works, it uses the actual app to perform fraudulent transactions by changing the user’s input fields and thus accessing the login data. The fake app does not ask for dangerous permissions during installation, avoiding raising suspicion or risking detection by AV tools.

With its tricks, it bypasses basically all security measures on Android systems – both those that Google has included, as well as those of other antivirus tools. According to malware finders, Google urgently needs to close this vulnerability as more and more cyber crooks exploit it. Websites spreading malicious APKs have been reported and taken offline at the moment, but actors can quickly return via other domains.

See also:

Google, Android, Hackers, Security, Malware, Viruses, Trojans, Malware, Adware
gda portal / flickr