Banking transactions for owners of Android phones just became more dangerous with a new iteration of the SpyEye Trojan designed to intercept two-factor authentication codes sent via SMS - the first known version for Android.
The malware not only tries to steal authentication information banks send via SMS, it also encourages users to go out and buy an Android if they don't already have one, according to Ayelet Heyman, senior malware analyst for Trusteer, which makes software to thwart banking malware.
Customising for Android is good for attackers because they don't have to wait three days to commandeer the SMS messages, which is the case with Symbian phones, she says.
Trusteer discovered the SpyEye variant in the wild in Spain on 26 July, and Heyman wrote about it today in a blog.
The attack is carried out against customers of targeted banks that use SMS messages to send out one-time passwords as customers log in.
It all starts from the desktop
Attackers first compromise customers' home desktops that are used for remote banking transactions, then compromise the phones so they can intercept the one-time passwords.
Once they have infected both the desktops and phones they attack on customers' accounts by logging in using credentials stolen from the compromised laptop. When SMS messages with the one-time passwords are sent, the malware in the phones diverts the passwords to the attacker who uses them to complete authentication to the users' accounts. Once in, the attacker can withdraw or transfer funds.
The phone compromise starts when a victim connects to a targeted bank's website via desktop. A message pops up that says a mandatory new security measure is being implemented that requires downloading a security application to an Android phone. The user is walked through how to download and install the malicious application.
You "will be forced" to buy an Android if you don't have one
Once activated, the malware picks off all SMS messages and forwards them to the attacker's command and control server.
For customers who don't have Androids, the malware offers this message: "Users who do not have cell phones that work on the Android platform will be forced to buy it. ... It's inconvenient, but it is the only way to keep their money secure."
Heyman says she thinks the next innovation will be for SpyEye to commandeer sessions initiated from mobile phones rather than desktops.
Thankfully though, most high street banks in the UK do not send authentication codes via SMS, preferring either one-time pin generators, online or voice authentication instead.