Australia’s bank apps infected with malware

Australia’s largest banks have been the target of a very sophisticated Android attack stealing banking details which by-pass the two step verification process through SMS affecting millions of customers, reports the Sydney Morning Herald.

The malware is designed to mimic 20 mobile banking apps from Australia, New Zealand and Turkey, as well as login screens for PayPal, eBay, Skype, WhatsApp and several Google services.

According to Sydney Morning Herald, the banks affected are Commonwealth Bank, Westpac, National Australia Bank and ANZ Bank where customers are all at risk from the malware which hides on infected devices waiting until users open legitimate banking apps.

The malware then superimposes a fake login screen over the top in order to capture usernames and passwords.

Apart from Australia's Big Four banks it targets a range of other global financial institutions including Bendigo Bank, St. George Bank, Bankwest, ME Bank, ASB Bank, Bank of New Zealand, Kiwibank, Wells Fargo, Halkbank, Yapı Kredi Bank, VakıfBank, Garanti Bank, Akbank, Finansbank, Türkiye İş Bankası and Ziraat Bankası.

Along with stealing login details, the malware can also intercept two-factor authentication codes sent to the phone via SMS — forwarding the code to hackers while hiding it from the owner of the phone.

With access to this information, thieves can bypass a bank's security measures to log into the victims' online banking account from anywhere in the world and transfer funds.

Detected by ESET security systems as Android/Spy.Agent.SI, the malware sneaks onto Android devices by imitating the Adobe Flash Player application which many websites require in order to play streaming video.

Once installed the app requests device administrator rights, checks for installed banking applications and then reports back to base in order to download the relevant fake login screens, reports Sydney Morning Herald.

The infected Flash Player application does not come from Android's official Google Play app store, instead phone users are tricked into installing via infected websites or bogus messages.

To become infected Android owners must override the default security option and accept apps from unknown sources. The download comes from a range of bogus domains including flashplayeerupdate.com, adobeflashplaayer.com and adobeplayerdownload.com.

A Google spokesperson warned against allowing your phone to install any applications downloaded from the web.

"It's important to only install applications from sources you trust, such as Google Play," the spokesperson said.

"Over 1 billion devices are protected with Google Play which conducts 200 million security scans of devices per day."Infected Android devices include 'Flash Player' in the list of device administrators found under the Settings > Security > Device Administrators menu.

Attempts to remove Flash Player from this list generates a bogus alert warning that data may be lost, but it is safe to press OK. With its device administrator rights disabled it is possible to uninstall the malware via Settings > Apps/Application manager > Flash Player > Uninstall.

In some cases the malware superimposes a fake warning over the Device Administration list to prevent deactivation. The solution is to restart the Android device in Safe Mode, which restarts the device with all installed apps disabled, preventing the malware from blocking access to the Device Administration list.

The latest Android malware attack comes as Google steps up its efforts to block websites containing bogus advertisements and pop-ups which often link to malware.

According to the Sydney Morning Herald, these bogus messages often insist that visitors must install extra media player software, or update existing software such as Adobe Flash, in order to watch online video.