Hesperbot also appears to have a limited geographic distribution — primarily Turkey and the Czech Republic. However, the campaign, may expand. "It's quite likely we'll see more instances of this as time goes by," Eset Security Evangelist Stephen Cobb said in an interview. "I would expect we'll see more attacks in more countries."
Hesperbot is spread by luring targets to an infected website with a poisoned link embedded in an email or SMS message. The Czech scam sent targets to a website closely modeled on the landing page of the country's postal service.
"The aim of the attackers is to obtain login credentials giving access to the victim's bank account and to get them to install a mobile component of the malware on their Symbian, Blackberry or Android phone," Eset researcher Robert Lipovsky wrote in a blog.
He described Hesterbot as a very potent banking Trojan with features such as keystroke logging, creation of screenshots and video capture, setting up a remote proxy, creating a hidden VNC server on an infected system, intercepting network traffic and HTML injection.
Other banking Trojans, like Zeus and SpyEye, perform those functions, too; what sets Hesperbot apart is its use of new code to do those tasks. "It's not made with SpyEye or Zeus code," Evangelist Cobb said. "That might sound like a technical distinction, but the fact that someone went to the trouble to write a brand-new banking Trojan is indicative of the appeal that remains for the software."
That appeal will likely grow. "As more mobile capabilities are rolled out and mobile payments become more widespread and ubiquitous, malware is going to follow," said George Tubin, senior security strategist at Trusteer, an IBM company. "We're right at the beginning of it now."
He explained that improved security measures at larger banks have been driving cyber robbers downstream to mid- and small-sized banks. "Now, they'll also be moving into the mobile channel, because banks haven't deployed very sophisticated fraud detection technologies there yet," Tubin said.
Nevertheless, mobile infections can be avoided if a user is willing to avoid high-risk behavior. "They're not going to get infected if they stick to downloading apps from Google Play or their employer's app store," Randy Abrams, a research director at NSS Labs, said in an interview.
"There have been exceptions, and Google has allowed infected apps into their store," he continued, "but the majority of apps on Google Play are going to be very safe — as long as you don't consider compromising your privacy a safety issue."
Sign up for CIO Asia eNewsletters.