There a new form of Android malware that steals financial data from a phone, but goes after contact lists and text messages, researchers said.
Android.BankBot.211.origin spreads using the name of programs like Flash Player, among others. To date, BankBot hasn’t made it to the Google Play Store, said researchers at security company, Dr.Web.
The malware uses Android’s Accessibility Service to take over the phone, displaying a request prompt that would allow it to add itself to the device administrator list and become the default message manager, Dr.Web researchers said in a post.
Once the takeover is complete, BankBot can send an SMS containing a specific text to any number, extract text messages, open links, change the address of the company center, steal data like phone call info, contact lists and installed apps, and take screenshots of your passwords whenever you start typing them on websites.
The main mission of the malware, however, is to steal banking data. It can display fake input forms for login credentials, phishing dialogs asking for credit card details, and block the installation of antivirus apps that could prevent its features from running.
At first, the malware targeted Android users in Turkey, but the list of countries being hit expanded to Germany, France, UK, and the U.S., researchers said.
“Android.BankBot.211.origin can attack users of any applications. Cybercriminals just have to update the configuration file with the list of targeted programs. The banker receives this list once connected to the command and control server,” Dr.Web researchers said.
Removing the malware is only possible in safe mode by deleting its entry from the device administrator list and then scanning with an antivirus solution that already detects the infection.