Written by Sean Lyngaas
Brazil’s financial sector, which has long grappled with cybercrime, has a new foe.
An insidious Android application is trying to steal users’ login credentials, and their money, by impersonating Brazilian banks, researchers from IBM Security said Tuesday.
The malicious code is designed to steal the text messages that people use as a secondary security measure to log into their bank accounts. While focused on Brazil, the code could be repurposed to target banking sectors elsewhere, the researchers warned.
“Malware of this type is extremely simple to redirect to other regions by changing the target list and embedded screens, thereby modifying its attack turf and potential targets,” IBM researchers Ben Wagner and Limor Kessem wrote in a blog post.
Some of the Brazilian banks targeted operate in Spain, Portugal and across Latin America, according to IBM. The researchers didn’t name the targeted entities, and it remains unclear if any of the phishing attempts were successful.
IBM researchers also reported this month on another piece of malware that apparently originated in Brazil, but was being used to attack bank customers in Spain.
The code in the newest banking trojan — as the credential-stealing malware is called — is entirely new, according to IBM. But it uses a trick that is increasingly popular with cybercriminals: It lurks in the background of a user’s phone until the right time to display a fake banking login page. The success of the attack hinges on whether the person takes the bait and enters their credentials.
The hackers were sloppy in covering their tracks. Wagner and Kessem said the malware was easy to reverse-engineer and, unlike similar hacking tools, does not check whether it is being deployed in a virtual environment before installing.
“Malware is often created in a very agile development cycle, released as soon as a working module can help attackers achieve their goals,” Kessem told CyberScoop. “This malware is likely a work in progress and we may end up seeing it evolve further in the coming months.”
While Google has hired mobile security firms to clamp down on the number of malicious apps that appear in the Play Store, hackers have leveraged third-party app stores to get their malware onto Android phones.
With this new banking trojan, scammers are sending instructions to potential victims on how to download the app from a third-party source, beyond the reach of the Play Store’s gatekeepers.