A security company has found malware in an Android app in the Google Play Store. The malware is capable of stealing money from bank accounts via mobile banking apps without human intervention.
Android app contains malware
The security company ThreatFabric (via Security.nl) discovered the so-called Xenomorph malware in an Android app from the well-known developer Sam Ruston. This man has made Hurry – Daily Countdown, BuzzKill – Phone Superpowers and Flamingo, among others. The app in question is called CoinCalc and once installed on a phone it prompts users to install an update or plug-in that pretends to be Google Play Protect.
Google Play Protect checks apps when you install them. The feature also regularly scans your device. If a potentially malicious app is found, Google Play Protect can do the following:
- Sending you a notification. To uninstall the app, tap the notification, then tap Uninstall.
- Turn off the app until you uninstall it.
- Uninstall the app automatically. If a malicious app is detected, you will usually receive a notification that the app has been removed.
So Play Protect is already on Android devices, and if an app asks to download it, something is wrong. According to ThreatFabric, that is also the case for CoinCalc. The Xenomorph malware in the app uses the ATS (Automated Transfer Systems) framework to steal money from bank accounts via banking apps. ATS makes it possible to request login details and balance details. In addition, multi-factor authentication tokens can be stolen and transactions can be fully automated. Without human involvement.
What about two-step authentication?
ThreatFabric indicates that banks are gradually exchanging two-step authentication via SMS for multi-factor authentication. That layer of security has not always proven to be safe, according to a study in which criminals can easily hack into your Google account if the screen lock is secured with a PIN code. Two-step authentication often uses authenticator apps that are on the same phone as the banking app. In this way, the malware can perform fraudulent transactions on the phone.
According to ThreatFabric’s analysis, the Xenomorph malware in CoinCalc can steal this sensitive information from 400 banking apps, such as the ABN Amro and ING mobile banking apps.