back to article This Android Trojan steals banking creds and wipes your phone

A new Trojan banker for Android is capable of wiping compromised smartphones as well stealing online banking credentials, security researchers are warn. The Mazar BOT Android malware is read using booby-trapped multi-media messages. If installed, the malware gains admin rights that give it the ability to do almost anything …

  1. Anonymous Coward
    Anonymous Coward

    Is it just me?

    Why would one install banking software on a mobile device easily misplaced on the train or down the pub in the first place?

    1. lansalot

      Re: Is it just me?

      Because "full device encryption"...?

    2. Fibbles

      Re: Is it just me?

      Why would anyone place all their banking information on a small piece of plastic which is easy to misplace?

      1. Anonymous Coward
        Anonymous Coward

        Re: Is it just me?

        Why would anyone place all their banking information on a small piece of plastic which is easy to misplace?

        Because if you lose that piece of plastic and report it you are not liable for losses, whereas with your phone you are.

        1. Fibbles

          Re: Is it just me?

          Losing your phone doesn't mean someone has access to your bank account. You'd have to lose your phone and your pin number. Similarly if you lose your bank card and have the pin written on it you'd be liable.

    3. Martin Summers

      Re: Is it just me?

      There's nothing wrong with banking apps.

      The real problem is a banking app allowing storage of credentials. My banking app certainly doesn't. It also has its own keyboard to avoid 3rd party keyboards logging every key.

      1. chasil

        Bank security varies.

        I previously used smaller, local institutions because I liked their low fees.

        However, after I had moved to a larger bank, I scanned my old bank, and several other local (smaller) banks with the Qualsys TLS scanner at ssllabs.com.

        Surprisingly, my old bank scored an "F" as did several smaller peers.

        I do like using the ssllabs.com scanner before I put in a credit card or otherwise exchange sensitive information. Smaller firms often fail badly with security.

  2. Joe Drunk
    Facepalm

    Darwin is calling

    all those who are stupid enough to click on a link from some random SMS and then click "install" when prompted if they want to proceed with an MMS messaging APK from an unknown source.

    1. Ru'

      Re: Darwin is calling

      It would be nice if the article made this clear; one could read the text and think that one could be infected just by receiving/opening an mms.

      1. Anonymous Coward
        Anonymous Coward

        Re: Darwin is calling

        It would be nice if the article made this clear; one could read the text and think that one could be infected just by receiving/opening an mms.

        But then "Installing software from an unknown source on your device can give you grief!" doth not click-bait make.

        1. Charles 9

          Re: Darwin is calling

          Ever considered this is a Stagefright-based exploit, meaning the Install dialogue never appears? Instead, the malware rides the MMS straight through to System, gains root permissions, and goes from there all without your knowledge? Remember, many phones are prone to Stagefright AND at EOL meaning they'll never be patched to fix the exploit.

          1. Anonymous Coward
            Anonymous Coward

            Re: Darwin is calling

            Right in the article, it says you have to click (tap, poke, whatever) on a link that you get in an SMS (not MMS). If it self-installed with zero input from the user, they would call it a virus, not a trojan.

            1. Charles 9

              Re: Darwin is calling

              Quote from the article:

              "The Mazar BOT Android malware is read using booby-trapped multi-media messages. If installed, the malware gains admin rights that give it the ability to do almost anything with a victim's phone." (Emphasis mine)

              Multimedia messages means MMS, and an Android exploit using MMS at this point probably means it's a Stagefright exploit, unless you can point where it says otherwise.

              1. Anonymous Coward
                Anonymous Coward

                Re: Darwin is calling

                Sorry, Charles 9. I was actually referring to the blog post that the article was quoting - linked near the bottom. In the blog post, it refers to SMS multiple times, and the only reference to MMS is that MMS is what's implied in the fake notification

      2. Anonymous Coward
        Facepalm

        Re: Darwin is calling

        That would defeat the purpose of posting such scareware ..

      3. Anonymous Coward
        Anonymous Coward

        Ironic

        Sadly this news is loaded with far more Trojan that the Trojan its supposed to be reporting.

        Clearly reading this you would think the world is on fire, the reality is, nobody will ever be affected by this.

      4. Nigel 11

        Re: Darwin is calling

        one could read the text and think that one could be infected just by receiving/opening an mms.

        Is that "completely impossible" or "not yet"?

        I'm sticking to using my desktop along with a completely non-networked code-generating gizmo that my bank sent me. Also to shopping only with credit cards, where the legal onus is on the credit provider to prove that it was I who spent the money, in a court of law if I insist that I did not.

        1. Speltier

          Re: Darwin is calling

          "...where the legal onus is on the credit provider to prove that it was I who spent the money, in a court of law if I insist that I did not."

          Or, in America, a completely biased arbitration proceeding, likely located as far as possible geographically from where ever you live. Yes, they do keep the paperwork you signed off on to get that bit of plastic.

    2. TonyJ

      Re: Darwin is calling

      "...Darwin is calling

      all those who are stupid enough to click on a link from some random SMS and then click "install" when prompted if they want to proceed with an MMS messaging APK from an unknown source..."

      Have to agree here. The only times I've ever turned on unknown sources was to install the Amazon app (apparently Google don't allow alternative play-type stores by default and to install a diving app my own dive buddy wrote, to test for him.

      In both cases, it was immediately disabled again.

      My bank do send me SMS messages. To date they have never, ever, sent me an SMS with a link to install anything and frankly if I received one, I'd be very highly suspicious of it but I guess the kind of people these target don't fall into the tech savvy/above average intelligence/overly cynical and suspicious group(s) as found here.

      1. Joe Drunk
        Trollface

        Re: Darwin is calling

        My bank do send me SMS messages. To date they have never, ever, sent me an SMS with a link to install anything and frankly if I received one, I'd be very highly suspicious of it but I guess the kind of people these target don't fall into the tech savvy/above average intelligence/overly cynical and suspicious group(s) as found here.

        I have a feeling anyone who does fall for such a ruse will subsequently become members of the overly cynical and suspicious group. I am a card carrying member.

        DevOps.

        Because it's bleeding edge. The hottest buzzword. Gotta keep saying it so it sounds like I'm aligned with latest technology. Plus it hasn't been mentioned in the past hour.

        DevOps.

        Time to set up a long, drawn-out meeting to discuss how great it is and bill by the hour for it.

      2. Fatman
        Joke

        Re: Darwin is calling

        <quote>... I'd be very highly suspicious of it but I guess the kind of people these target don't fall into the tech savvy/above average intelligence/overly cynical and suspicious group(s) as found here fall into the lowest 25 percentile of the intelligence scale.</quote>

        There!!

        FTFY!

      3. Tim Jenkins

        Re: Darwin is calling

        "The only times I've ever turned on unknown sources was to install the Amazon app"

        The official National Lottery app also requires 'unknown sources' to be enabled, because apparently Google 'doesn't allow any real money lottery apps in its store' (https://www.national-lottery.co.uk/android/installation)

        Or so I'm told. By a friend. Obviously. Ahem...

    3. Hans 1

      Re: Darwin is calling

      Well, in the lot, you will find heart surgeons, car mechanics, university professors, if the mms looks legit. Now, if you think they are stupid, how good are you at heart surgery or motor car mechanics ?

      We all have our specialities ...

      Hey, I could say: I am sure you run internet explorer/edge, so your opinion does not count. Worst is, you ARE supposed to be an expert in that field .... you are like a heart surgeon performing life-threatening operations with a sharp piece of plastic found in a bin outside the hospital ... STFU!

      I have good chances, because according to Gartner, 95% of "computer-literate users" (whatever that means) are useless at just that.

      1. DCLXV

        Re: Darwin is calling

        "Well, in the lot, you will find heart surgeons, car mechanics, university professors, if the mms looks legit. Now, if you think they are stupid, how good are you at heart surgery or motor car mechanics ?"

        Not stupid, just ignorant. There's no excuse for a certain level of ignorance about technology if you have a smartphone you carry around with you all the time, interact with daily, use to plan your social life and even your financial affairs on. You damn well better learn to treat such a device as intimately as you do your own home and not simply hope to excuse yourself if you leave all the doors unlocked because you never bothered to read the lock manual.

        For what it's worth, I do know every intimate detail about my personal vehicle as I do use it and depend on it daily. I don't know how the esoteric control systems in a flash luxury car work, but as the very label implies it's not a necessity and so I don't feel any inclination to spend vast sums of money on such a vehicle. Smartphones are another such luxury. Nobody seemed to need a smartphone when they were called PDAs and marketed at businessmen. Are we responsible, self-aware individuals or are we just specialized consumers with an ever-narrowing scope of knowledge and wisdom?

  3. Anonymous Coward
    Anonymous Coward

    simple, just enable russian text

    1. Anonymous Coward
      Anonymous Coward

      Я сделал, но теперь я не могу преобразовать его обратно. Помогите!!

      1. Robert Baker
        Joke

        "Я сделал, но теперь я не могу преобразовать его обратно. Помогите!!"

        I will not buy this tobacconist's, it is scratched, comrade.

        1. Anonymous Coward
          Anonymous Coward

          "I will not buy this tobacconist's, it is scratched, comrade"

          Мои соски взорваться от восторга!

  4. Michael B.

    and this is why I haven't gone anywhere near my bank's mobile banking app and stuck to the seperate security key. To be honest I don't need an app to tell me I don't have enough money anyway!

    1. Tessier-Ashpool

      Me too. No banking app is getting anywhere near my phone.

      I do have Apple Pay enabled, but that's tightly controlled and needs a fingerprint to work. There's little chance of any malware circumventing that.

      1. Anonymous Coward
        Anonymous Coward

        What if it's a jailbreaking exploit, meaning it can gain control of your phone at the system level and can just wait for your fingerprint to do its dirty work?

  5. Barry Tabrah

    Just smart enough

    This seems to target those who are just smart enough to be able to root their phone and allow installs from untrusted sources, but dumb enough to follow any link they're given.

    It is unfortunate that these people seem to be in the majority. I, for one, like to keep my phone security turned on and would always recommend that others do to.

    Rooting seems trendy, but for the majority of people it's really not a good idea. (see Just smart enough)

    1. Novex

      Re: Just smart enough

      I had to root my Android Moto G 1st Gen in order to put in the xprivacy software to make it more secure...

      Naturally, I also keep the 'don't install from untrusted sources' set to 'on'.

  6. Mike Shepherd
    Joke

    "...cannot be installed on...smartphones running Android with the Russian language option"

    I have the Russian keyboard installed, so am I protected? Or is there something else I should add?

    1. This post has been deleted by its author

  7. Anonymous Coward
    Linux

    Android Trojan wipes your phone?

    MMS Messaging

    Do you want to install this application? It will get access to:

    Allow this app to:

    * Your messages: edit your text messages (SMS or MMS), read your text messages (SMS or MMS), receive text messages (SMS)

    * Network communication: full network access

    * Services that cost you money: directly call phone numbers, send SMS messages

    * Phone calls: read phone status and identity

    * System tools: draw over other apps, prevent phone from sleeping, retrieve running apps

    Cancel | Install

  8. Old Handle

    Why would it erase your phone?

    Not that having your bank account robbed isn't bad enough (probably worse) but it sounds like "gains administration permission to do stuff including erase your phone" has been distorted into "ZOMG it will erase your phone!!!1". Neither external link seems to say it actually does erase your phone. And I'm not sure why they would want to do that. In general I would expect the authors to prefer you keep using a compromised phone for as long as possible.

    1. Nigel 11

      Re: Why would it erase your phone?

      And I'm not sure why they would want to do that [erase your phone]

      Destroy the evidence after they've bled you dry? Or just before, so your bank's security team cannot contact you to find out whether it was really you buying the £5000 TV?

  9. Mr.Bill

    "If installed"

    and how might that happen? The only relevant bit of info is "how does it get installed". Isn't that the whole point of security?!?. Ill tell you - IT DOESN'T.

    This whole article might as well be shortened to:

    "if installed, yada yada".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like