SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Breach Prevention
#
Cybersecurity
#
Digital Banking
Dangerous Android banking Trojan breaks into Google Play store
Mon, 22nd Feb 2016
FYI, this story is more than a year old
Author image
By Catherine Knowles, Journalist
Follow us

Towards the end of 2015, Kaspersky Lab experts noted a rise in mobile banking attacks in Australia. Soon it was discovered the primary reason for the increase was a single banking Trojan known as Acecard.

Identified by Kaspersky as ‘one of the most dangerous Android banking Trojans ever seen', the Acecard malware is capable of attacking users of nearly 50 different online financial applications and services, and is able to bypass the Google Play store's security measures.

The Acecard Trojan family uses almost all the malware functionality currently available - from stealing a bank's text and voice messages, to overlaying official app windows with false messages that simulate the official login page, all in an attempt to steal personal information and account details.

Besides banking apps, Acecard can overlay the following applications with phishing windows:

  • IM services: WhatsApp, Viber, Instagram, Skype;
  • Social networks: VKontakte, Odnoklassniki, Facebook, Twitter;
  • The Gmail client;
  • The PayPal mobile app;
  • Google Play and Google Music applications.

The malware was first detected in February 2014, but for a long period it showed almost no signs of malicious activity. This changed in 2015, when Kaspersky Lab researchers detected a spike in attacks. In the period May to December 2015, more than 6,000 users were attacked with this Trojan - with most of them were living in Russia, Australia, Germany, Austria and France.

During the two years of observation, Kaspersky Lab researchers witnessed the active development of the Trojan and registered more than 10 new versions of the malware, each with a far longer list of malicious functions than the previous one.

According to Kaspersky Lab, mobile devices were usually infected after downloading a malicious application masquerading as a legitimate one. Acecard versions are typically distributed as Flash Player or PornoVideo, although other names are sometimes used in a bid to imitate useful and popular software.

But this is not the only way this malware is distributed, the experts say. On 28 December 2015, Kaspersky Lab experts were able to spot a version of the Acecard downloader Trojan - Trojan-Downloader.AndroidOS.Acecard.b - in the official Google Play store.

The Trojan propagates under the guise of a game, and when the malware is installed from Google Play, the user will only see an Adobe Flash Player icon on the desktop screen and no actual sign of the installed application.

Looking closely at the malware code, Kaspersky lab experts are inclined to think that Acecard was created by the same group of cybercriminals that was responsible for the first TOR Trojan for Android Backdoor.AndroidOS.Torec.a and the first mobile encryptor/ransomware Trojan-Ransom.AndroidOS.Pletor.a.

The evidence for this is based on similar code lines (names of methods and classes) and the use of the same C-C (Command and Controls) servers. This proves that Acecard was made by a powerful and experienced group of criminals, most likely Russian-speaking.

Roman Unuchek, Kaspersky Lab USA senior malware analyst, says, “This cybercriminal group uses virtually every available method to propagate the banking Trojan Acecard.

“It can be distributed under the guise of another programme, via official app stores, or via other Trojans. A distinctive feature of this malware is that it's capable of overlaying more than 30 banking and payment systems as well as social media, instant messaging and other apps. The combination of Acecard's capabilities and methods of propagation make this mobile banker one of the most dangerous threats to users today.

In order to prevent infection Kaspersky Lab recommends the following:

  • Do not download or/and install any applications from Google Play or internal sources if they are untrusted or can be treated as such;
  • Do not visit suspicious web pages with specific content and click on suspicious links;
  • Install a reliable security solution on mobile devices;
  • Make sure that antivirus databases are up to date and functioning properly. 
Related stories
Illumio unveils AI enhancements for faster Zero Trust Segmentation adoption
RiverSafe teams up with Cribl to boost IT & data security services
Half of online traffic in 2024 generated by bots, report finds
Axis unveils hybrid cloud platform for adaptable security solutions
Cisco launches Hypershield for AI-driven security upgrade
Top stories
Fortinet recognised as Challenger in Gartner's 2024 Magic Quadrant for SSE
Coalition integrates cyber risk platform with top cloud services providers
Secolve & Asimily join forces to boost Australia's IoT security
Armis warns of major cyber-attack risk to 2024 global elections
i-PRO to support Genetec SaaS with new AI-enabled camera models