September 29, 2016
Zscaler has detected a new Android banking trojan that is currently only active in South Korea, where it infects users posing as a popular antivirus app and then stealing SMS messages and authentication certificates used for banking operations.
Based on technical analysis provided by the Zscaler team, the yet unnamed banking trojan is still under development and seems to be the companion of a desktop banking trojan, but may also be further developed to work on its own.
There are only three main features included in the trojan’s code. The first is the ability to talk to its C&C server, from where it receives instructions and where it sends stolen data.
The second is its ability to intercept and steal SMS messages without showing any indicators on the user’s screen that a message was received.
This feature is really useful when a banking transaction takes place, and the user receives a confirmation SMS message. If the user doesn’t see the SMS, then he or she won’t be alerted that a mobile or desktop trojan is ravaging their bank account.