A new malicious banking trojan, identified as Android.banker.A2f8a, has been discovered and is targeting over 200 banking apps, 23 cryptocurrency apps and various shopping and gambling apps for Android devices. The trojan is designed to steal user credentials, intercept SMS messages, display a fake overlay on top of legitimate apps and steal contact lists. Infection occurs after the user downloads a fake Flash Player app onto their device from a third party app store. The malicious app then spams the user with requests for administrative privileges. Once Android.banker.A2f8a has admin privileges it scans for targeted apps and if detected shows a false notification requiring the user to login and steals their credentials.
What we’re doing about it
- Tracking related indicators
- Active IP addresses will be blocked in the Global Blacklist as they become available
What you should do about it
- Avoid the use of third party app markets
- Actively manage the security configuration of enterprise mobile devices
- Keep track of the permissions apps request
- Android.banker.A2f8a has the ability to intercept incoming and outgoing SMS messages. This allows the trojan to bypass various forms of multi-factor authentication.
- It is important to note that Adobe Flash player was discontinued (after version 4.1 of Android), as it has been incorporated into the mobile browser. As such, there is no legitimate reason to download any app posing as Adobe Flash onto an android device.
- While analyzing the malicious APK, domain torragnarek[.]com was observed. However this domain does not currently resolve to an IP address.