A new Trojan that can steal your payment data will also try to stymie you from alerting your bank.
Security vendor Symantec has noticed a “call-barring” function within newer versions of the Android.Fakebank.B malware family. By including this function, a hacker can delay the user from canceling any payment cards that have been compromised, the company said below.
Fakebank was originally detected in 2013. It pretends to be an Android app, when in reality, it will try to steal the user’s money.
The malware works by first scanning the phone for specific banking apps. When it finds them, the Trojan will prompt the user to delete them and install malicious versions of those same apps.
The newer variants of Fakebank.B, however, will do more than just collect financial login data. They will also monitor whatever phone calls are made.
If the customer service numbers of certain banks are dialed, the Trojan will cancel the call, Symantec said. Instead, users will have to use email or another phone to reach their banks.
So far, this new Trojan has only been detected in Russia and South Korea. Symantec is advising users refrain from downloading apps from less trustworthy sources, like third-party app stores.
The call-barring function shows how banking Trojans are continuing to evolve. Earlier this year, Symantec detected another kind called Android.Bankosy that can bypass voice-based two-factor authentication systems.
To do this, the Trojan will secretly activate call forwarding on the victim’s phone. All calls will then be redirected to the hacker’s own numbe
Once installed, the new Android.Fakebank.B variants register a BroadcastReceiver component that gets triggered every time the user tries to make an outgoing call. If the dialed number belongs to any of the customer service call centers of the target banks, the malware programmatically cancels the call from being placed.
Figure. Code responsible for programmatically canceling outgoing calls to South Korean banks
We have observed the variants targeting financial institutions in Russia and South Korea. The following are some of the customer care numbers that the variants are blocking:
- KB Bank: 15999999
- KEB Hana Bank: 15991111
- NH Bank: 15442100 and 15882100
- Sberbank: 80055550
- SC Bank: 15881599 and 15889999
- Shinhan Bank: 15448000, 15778000, and 15998000
Typically, when a banking customer calls a customer care number through a registered mobile device, their call will be routed to an Interactive Voice Response (IVR) System. By blocking these numbers, the malware creators can stop a victim from asking their bank to cancel payment cards that the variants stole. This also gives the malware more time to steal data from the compromised device. Affected users can still find other channels, such as email or landline calls, to reach customer care.
Symantec recommends users follow these best practices to stay protected from mobile threats:
- Keep your software up to date
- Refrain from downloading apps from unfamiliar sites and only install apps from trusted sources
- Pay close attention to the permissions requested by apps
- Install a suitable mobile security app, such as Norton, to protect your device and data
- Make frequent backups of important data
References : http://www.pcworld.com/article/3095965/security/this-android-trojan-blocks-the-victim-from-alerting-banks.html