Android malware targets banking apps

A sophisticated new piece of android malware is targeting Android users of banking apps for the largest banks in Australia, New Zealand and Turkey.

When the user logs in their banking app, Android/Spy.Agent.SI (its name, designated by ESET) puts up a fake login screen to capture their username or id and their password. These details are sent on to the attacker.

Of course, nowadays that's not enough to siphon money from someone's account. Usually, two-factor authentication is required to add a new bank account so money can be transferred. This is the clever part - the malware intercepts the bank's SMS messages for two-factor authentication, and forwards them to the attacker. And that's all they need. It then deletes the SMS messages.

How is it installed?

Firstly, you have to have your phone set up to allow "Unknown sources" (a device administration option). By default you can't install apps that are not from Google Play (known as "side-loading"), so unless you've changed this option you are safe.

One reason for allowing unknown sources is for the Amazon Underground App, which allows Android phones to access the Amazon app store.

The malware pretends to be the Adobe Flash player application. If you visit an infected website, it will prompt you to download and install it. You'll have to ignore Android's warning to do so. It then asks for administrator rights so that it can't be uninstalled.

How do I get rid of it?

Detailed instructions can be found here. If you have allowed unknown sources and discover the "Flash Player" app is installed, don't use a banking app until it is removed.


You should not install anything on an Android that is not from Google Play. Don't allow unknown sources. If you do decide to install the Amazon app, be extremely cautious about allowing other apps to install.

Posted by John Faulds in