back to article 'Invisible Man' malware runs keylogger on your Android banking apps

A new breed of Android malware is picking off mobile banking customers, particularly those in the UK and Germany, we're told. The Svpeng software nasty has been around for four years, and its creator was caught and thrown in the clink in 2015. However, the malware keeps on evolving, thanks to other crooks trying their hand …

  1. Anonymous Coward
    Anonymous Coward

    Who in their right mind

    Trusts online banking, let alone from a Stasi Penal Tracking device ?

  2. Your alien overlord - fear me
    Facepalm

    If I set my phone to Russian then that's a complete Denial of (any) Service since I don't speak/read Russian.

    1. Anonymous Coward
      Anonymous Coward

      If it deletes itself once you set your phone to Russian, you can set it right back to English after.

  3. ratfox
    Paris Hilton

    I'm confused

    There are banking apps that don't use 2FA?

    1. sitta_europea Silver badge

      Re: I'm confused

      [quote]

      There are banking apps that don't use 2FA?

      [/quote]

      There are banking apps?

    2. peterm3
      FAIL

      Re: I'm confused

      There are some online banking systems which use the phone as the Second Factor in 2FA. In Germany they have replaced Transaction Authorisation Numbers (TAN) with a pushTAN from an app on your phone. So a determined criminal who has managed to phish your online banking details "just" needs to get you to download some malware onto your phone too.

      I'm not sure why more banks don't give customers hardware gizmos Like Nationwide BS or Barclays in the UK do. Can't cost more than a fiver and must pay for themselves with fraud prevention?

      1. Sloth77

        Re: I'm confused

        "I'm not sure why more banks don't give customers hardware gizmos Like Nationwide BS or Barclays in the UK do. Can't cost more than a fiver and must pay for themselves with fraud prevention?"

        Because they're a royal PITA? I carry enough crap in my pockets without a separate gizmo for each service requiring 2FA.

        1. Anonymous Coward
          Anonymous Coward

          Re: I'm confused

          "Because they're a royal PITA? I carry enough crap in my pockets without a separate gizmo for each service requiring 2FA"

          You really can't put up with one secure solution / gizmo in your bag, or drawer at home???? Some crook emptying your bank account will be more than a slightly inconvenient PITA!

  4. Christian Berger

    Can't we finally admit...

    ...that the security features of mobile phones don't work, they are only a hassle to the user.

    In the end it always boils down to "don't install malware".

    1. d3rrial

      Re: Can't we finally admit...

      Doesn't that actually mean that security works great? If the only attack vector is user error, things are good!

      1. Christian Berger

        Re: Can't we finally admit...

        Well not quite, since many people believe that those security measures work, they instruct people to do unsafe behaviour. Just look at many websites who want you to install their app. Just look at the many apps which are malware (adware) or otherwise slurp your data.

        In fact, not being root on your own device means that you have to do backups via some external provider/app, which is a huge security risk compared to just scp-ing your data over to your computer or NAS.

        1. d3rrial

          Re: Can't we finally admit...

          There's certainly more that can be done in educating users, but technical security and security training of users are separate issues, at least to me...

  5. fidodogbreath Silver badge

    More than the stars in the sky,

    More than the grains of sand on all the beaches,

    Are the ways that any damn app

    Can gain root and pwn your Android.

    1. Anonymous Coward
      Anonymous Coward

      Re: More than the stars in the sky,

      Vogon?

    2. MyffyW Silver badge

      Re: More than the stars in the sky,

      "[Many] are ways that any damn app can gain root and pwn your Android"

      Well if you're daft enough to install packages from untrusted sources you do rather deserve your sorry fate.

      1. John Brown (no body) Silver badge

        Re: More than the stars in the sky,

        "Well if you're daft enough to install packages from untrusted sources you do rather deserve your sorry fate."

        And there's never been malware in any of the "official" and "safe" stores? Or apps which carry a payload to later download malware? Or malware loaded by ads? Using trusted sources only is the best way to minimise risk, but it won't eliminate it.

      2. fidodogbreath Silver badge

        Re: More than the stars in the sky,

        Well if you're daft enough to install packages from untrusted sources you do rather deserve your sorry fate.

        True; but there have been numerous well-documented cases of malware apps that made it into Google Play or the App Store. Some of them received a substantial number of downloads before being discovered.

  6. This post has been deleted by its author

    1. iron Silver badge

      Re: This was one thing that

      Read the fucking article, this has nothing to do with Flash. Idiot.

      1. Anonymous Coward
        Anonymous Coward

        Re: nothing to do with Flash

        To quote the article

        "The Trojan-Banker.AndroidOS.Svpeng.ae is distributed from malicious websites as a fake Flash player," said Roman Unuchek, ‎malware analyst at Kaspersky Lab.

        That talks about flash does it not?

        Because Flash gets updated so frequently and ... well the rest is obvious.

        At least my Windows Phone does not have this issue. No one updates anything for it now. This applies to MS as well as I run V8.1. They promised a Windows 10 upgrade but renaged on it.

        Security by Obscurity. Yay!

        1. Anonymous Coward
          Anonymous Coward

          Re: nothing to do with Flash

          Windows Phone is really good, extremely productive and even looks cool with all those live re-sizeable tiles.

          I really don't understand its lack of popularity and only a few apps, but like you, hey, security through obscurity is a good place to be, as well as having a phone with a great interface.

          Oh, I forgot, we can also connect it to a monitor, keyboard and mouse and through Continuum have the smallest laptop in the world in our pocket, fecking amazing!

          Android, and even more so iOS, are so bloody ancient in comparison it's unreal!

  7. Pen-y-gors Silver badge

    Who trusts Android?

    Don't get me wrong, I really like the convenience of a phone and Internet access in my pocket. And I refuse to pay the idiot tax. But who would actually trust the blasted things?

    I do online banking - from one laptop only. The idea of using Android for anything involving money (even the Paypal website) is strange. Android Pay? Oh come on... And I'm the sort of person who has only ever downloaded about a dozen apps, all from Playstore.

    I notice that the next bright idea from M$ is to allow Android to talk to Windows 10. Not on my phone it won't...

  8. RyokuMas Silver badge
    Pirate

    "The trick is to not install bad programs from untrusted websites, of course."

    ... as if that's going to happen.

  9. John Smith 19 Gold badge
    WTF?

    Non adobe web site says "you need to update your flash player."

    I say "F**k right off"

    Interesting point about setting the phone to Russian.

  10. Ochib

    This is why Flash should die a quick death

  11. Anonymous Coward
    Anonymous Coward

    if you install flash you deserve to be buggered by a keylogger.

    There is zero need for Flash - if you think otherwise, you are wrong.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021