An Android banking malware attack is tricking people into entering their phone number and other sensitive information into phishing websites – which cyber criminals then use to call victims and dupe them into installing malware on their smartphones.
The telephone-oriented attack delivery (TOAD) technique is designed to infect Android users with Copybara Android banking malware, which steals usernames and passwords for online-banking accounts – as well as information that allows attackers to bypass security questions.
The campaign has been detailed by cybersecurity researchers at ThreatFabric, who warn the attack is targeting multiple different banks and their customers.
Attacks begin with SMS phishing messages containing a link that claims to be from an online bank. The page the victim is directed to depends on which bank is being imitated, but researchers say the attackers have impersonated several banking websites.
Each fake banking website asks the user to enter similar forms of information, including account number, PIN code and telephone number.
But it isn’t via these phishing links that the malware is installed. Instead, anyone who enters their data into the forms is told that a “support operator” will be in touch – and soon afterwards, they’ll receive a call.
The call, which claims to be offering support to the Android user, is actually from a scammer who coerces the victim into installing what they’re told is security software onto their device.
This is done under the false premise of providing remote support to the victim, but what’s really happening is that the cyber criminal is gaining control of the device in order to carry out further fraud – in a way that means victims might not understand they’re being tricked. They may even trust the voice on the other end of phone, just because they’ve said they’re here to help.
“The ‘support operator’ with the help of social-engineering techniques convinces the victim to install the malware, thus leading to high quality infections and less suspicious victims,” Alexander Eremin, mobile threat intelligence lead at ThreatFabric, told ZDNET.
“The ‘operator’ can guide the victim through the process of installation and granting all the necessary permissions, including enabling accessibility services,” he added.
If successful, this technique allows the attacker to install the ‘security software’ onto the smartphone. But this tool doesn’t help the victim at all and is actually Copybara Android malware, which first appeared last year.
The malware provides attackers with remote access to the infected devices, allowing them to use the information that has previously been stolen in the phishing attack to gain access to and raid bank accounts.
Also, by abusing accessibility services, the malware can install additional apps, perform clicks and swipes, as well as being able to enter text – all abilities that could be used to further defraud victims.
Copybara also allows attackers to create and display fake input forms, which they can tailor towards the victim in order to gain access to additional passwords and accounts.
While the campaign analyzed by researchers is currently restricted to Italian banks, researchers warn that if it proves to be successful, the attack technique will spread.
“We expect further evolution of similar services providing flexible and convenient ways of maintaining hybrid fraud attacks, leading to more campaigns in this field,” said Eremin.
To avoid falling victim to this or any other form of malware attack, users should exercise caution when clicking links sent in SMS messages, particularly if the message is unexpected or is suggesting urgency – and especially if the link asks you to download something that isn’t from the official Google Play app store.
Users should also be suspicious of calls that claim to be from their bank and that require you to give out your personal information or install remote access software on your device, as that’s likely to indicate it could be a scam.
If you are worried a warning could be legitimate – or that you’ve installed banking malware – you should call your bank directly using the phone number listed on their website.
Users who think they’ve fallen victim to mobile malware are urged to reset their device – and to reset their passwords.
“The best option is to perform factory reset of the infected device, which will remove the malware from the device,” said Eremin.