Cybersecurity experts have discovered a mobile malware strain that intercepts users' SMS messages to steal bank data and money.
According to Trend Micro specialists, the FakeBank malware has been spotted in several SMS/MMS management software apps and primarily targets victims in Russia.
"These advertised SMS management capabilities are turned against the victim. The malware intercepts SMS in a scheme to steal funds from infected users through their mobile banking systems," Trend Micro said.
Experts have observed the malware targeting customers of numerous Russian financial institutions such as Sberbank, Leto Bank and VTB24 Bank.
The malware has also been spotted in China, Ukraine, Romania, and Germany.
Once installed on an infected phone, the malware replaces default SMS management programs with its own and hides the icon. This allows him to monitor and analyze every SMS received and deletes messages.
"This means that any verification or query from the bank to the user can be intercepted and removed. It can even call an assigned phone number, send specified SMS, and steal call logs and contact lists," the experts said. "Most significantly, all this access to the device's SMS gives the malware an avenue to silently steal money from users' bank account."
Additionally, the malicious app can quietly connect to the internet and send the stolen information to its command and control server (C&C) without the user's knowledge.
Since many users associate their bank accounts with their phones and choose to receive text notifications, the malware can intercept these messages to steal sensitive bank information such as security code messages. Hackers can then use the stolen data to log in to victims' online banking accounts, reset the passwords and covertly transfer money to their own accounts.
FakeBank can also steal phone numbers, a list of banking apps installed, the balance on a linked bank card and location data.
Some samples of the malware requesting admin privileges from the user, therefore allowing the malicious app further access to the compromised device.
"FakeBank also stops the user from opening the target bank's legitimate app, to prevent any modifications to the relationship between the bank card number and your phone number," the experts said. "We can assume that the malware developer is very familiar with the bank message format and transfer process, as all the payment SMS notifications are noted and scrambled by C&C."
"One of the notable elements of this malware is the way it hides its payload. The malware has different behaviors that make it harder for infected users to get rid of it, and for security solutions to detect it," Trend Micro adds.
"It actually uses three different methods to obfuscate the malicious payload. The techniques range in complexity and the developers seem to be taking a multilayered approach to avoid exposure."
Most IP addresses of FakeBank's C&C domains are registered by a company called Wuxi Yilian which has been linked before to other fraudulent domains.