Internet security firm Quick Heal Security Labs says it has identified a new Android malware that can masquerade as more than 200 banking apps including some Indian ones.
Called Android.banker.A2f8a, the trojan - a program disguised as legitimate software - is designed to steal login credentials, hijack text messages, upload contact lists and text messages on a malicious server, display an overlay screen (to capture details) on top of legitimate apps and execute other such malicious activities, Quick Heal wrote in a blog post.
"Android.banker.A2f8a is being distributed through a fake Flash Player app on third-party stores," Bajrang Mane, who leads the threat analysis, incident response, and automation teams in Quick Heal Security Labs, wrote in the post.
Mane said that Flash's popularity makes it a common target for hackers.
What makes the malware particularly dangerous is that even if the user denies permission or administrative right or tries to kill the process on the device, "it keeps throwing continuous pop-ups until the user activates the admin privilege," said Mane.
Quick Heal said that once the privilege is activated, the app hides its icon as soon as the user taps on it. In the background, the app keeps scanning for the 232 banking and cryptocurrency appplications from which to steal data.
Once it identifies an app that it can target, it pushes a fake notification on behalf of the targeted banking app.
"If the user clicks on the notification, they are shown a fake login screen to steal the user’s confidential info like net banking login ID and password," Quick Heal said.
The malware can read all incoming and outgoing texts and can also bypass the OTP-based two-factor authentication on the target’s bank account.
The trojan also has the ability to change the device's ringer volume to silence text message notifications.
Banking apps of lenders including Axis Bank, HDFC Bank, ICICI Bank, IDBI Bank and Union Bank are among those vulnerable.
As a precaution, Quick Heal has warned Android users to avoid downloading apps from third-party sources or from links sent via text messages or emails.
"Always keep ‘Unknown Sources’ disabled. Most importantly, verify app permissions before installing any app even from official stores such as Google Play. Always keep your device OS and mobile security app up-to-date," the IT security firm said.
This development comes three months after a malware infection led to more than 32 lakh debit cards in India being compromised.