Banking transactions for owners of Android phones just became more dangerous with a new iteration of the SpyEye Trojan designed to intercept two-factor authentication codes sent via SMS -- the first known version for Android.
The malware not only tries to steal authentication information banks send via SMS, it also encourages users to go out and buy an Android if they don't already have one, according to Ayelet Heyman, senior malware analyst for Trusteer, which makes software to thwart banking malware.
Customizing for Android is good for attackers because they don't have to wait three days to commandeer the SMS messages, which is the case with Symbian phones, she says.
Trusteer discovered the SpyEye variant in the wild in Spain on July 26, and Heyman wrote about it today in a blog.
The attack is carried out against customers of targeted banks that use SMS messages to send out one-time passwords as customers log in.
Attackers first compromise customers' home desktops that are used for remote banking transactions, then compromise the phones so they can intercept the one-time passwords.
Once they have infected both the desktops and phones they attack on customers' accounts by logging in using credentials stolen from the compromised laptop. When SMS messages with the one-time passwords are sent, the malware in the phones diverts the passwords to the attacker who uses them to complete authentication to the users' accounts. Once in, the attacker can withdraw or transfer funds.
The phone compromise starts when a victim connects to a targeted bank's website via desktop. A message pops up that says a mandatory new security measure is being implemented that requires downloading a security application to an Android phone. The user is walked through how to download and install the malicious application.
Once activated, the malware picks off all SMS messages and forwards them to the attacker's command and control server.
For customers who don't have Androids, the malware offers this message: "Users who do not have cell phones that work on the Android platform will be forced to buy it. ... It's inconvenient, but it is the only way to keep their money secure."
Heyman says she thinks the next innovation will be for SpyEye to commandeer sessions initiated from cellphones rather than desktops.