A financial Trojan in Android has added a functionality to its code to deceive voice call-based two factor authorisation (2FA) systems, Symantec revealed in a recent post on its official blog.
The voice call-based 2FA systems is an improvement started by some financial organisations in response to incidents where the malware residing on the victim's device snooped on or intercepted the incoming SMS containing the user's one-time passcode (OTP).
However, creators of Android.Bankosy found a loophole to this improvement and exploited it.
Discovered by Symantec in the last quarter of 2015, Android.Bankosy works as follows: it opens a backdoor in the affected device, collects system-specific data, and sends that information to the command & control (C&C) server. The server will then register the device and get a unique identifier for it.
Once the registration is successful, the malware will then use the received unique identifier to communicate with the C&C server and receive commands such as intercepting incoming SMS, or deleting messages. The opened backdoor can also disable and enable silent mode, and lock the affected device to prevent the user from being alerted during an incoming call.
Android.Bankosy can also remotely switch on the call forwarding function on the compromised device. Once that is done, the attacker will be able to receive the call containing the second factor in 2FA to complete a transaction, without the victim's knowledge.
To avoid falling prey to this malware, Symantec recommends Android users to ensure that the software in their devices are up-to-date, only download apps from trusted sources, pay attention to permissions requested by apps, and install a suitable mobile security app.
Sign up for CIO Asia eNewsletters.