14 DAY TRIAL // A malicious app posing as legitimate banking software has infected the Android devices of thousands of South Koreans in the past week, stealing sensitive information that can be used to access bank accounts.
According to Cheetah Mobile, customers from the following banks are targeted: Nong Hyup, Shinhan, Kookmin, Woori, Hana, Busan and the Korean Federation of Community Credit Cooperatives.
Once the virus reaches the Android device, it automatically starts scanning for an official online banking software. It then displays an alert saying that the banking app needs to be updated and, if the user agrees, the legitimate app is replaced with the fake one.
Cheetah Mobile says that the malicious app looks very convincing and asks for the certification password, “a document used to identify people for the purposes of online banking services, e-commerce, and other government related administrative purposes,” which includes banking details like username and password.
At this stage of the scheme, the certification password is already in the hands of the cybercriminals. However, more sensitive details are solicited, such as the bank account number and the bank security card number; the latter is provided to the user when creating an account.
The crooks make sure to eliminate evidence of the scam and after obtaining all the details they need to access the victim’s bank account, they present the user with a message saying that there is no Wi-Fi connection available and that the device should be switched to the 3G network.
“Closing the message automatically exits the app, and deletes the app icon from the homescreen,” says Cheetah.
The threat can reach the victim in various ways; the lure can be a popular game or utility that has to be downloaded from alternative Android markets that are beyond Google’s reach.
There are numerous marketplaces in Korea and the recommendation made by security experts is to avoid them, despite the many attractions they present.
Having an antivirus product guarding the Android device is generally enough for keeping malicious apps out.
The infection rate in this case seems to grow at a rapid pace, as the company recorded a total of even 6,000 in a day. In the last week, the number of infected daily users was of at least 3,000.
In a more fortunate event involving a rogue banking app, the malicious software included the capability to send only the username to the cybercriminal because of a comment in the code that prevented the leaking of the password.
The app had made it to Google Play and was removed at the alert of Lookout researchers.