Android Banking Malware SlemBunk Part of Well-Organized Campaign

itwbennett writes: Researchers from FireEye first documented the SlemBunk Android Trojan that targets mobile banking users in December. Once installed, it starts monitoring the processes running on the device and when it detects that a mobile banking app is launched, it displays a fake user interface on top of it to trick users into inputting their credentials. The Trojan can spoof the user interfaces of apps from at least 31 banks from across the world and two mobile payment service providers. The attack is more complicated than it appears at first glance, because the APK (Android application package) that users first download does not contain any malicious functionality, making it hard for antivirus apps and even Android's built-in app scanner to detect it.

Re: How do you like your lack of control now?

[Anonymous Coward]

This malware isn't from the Google play store, its from some porn site. The summary is garbage. Summary: user vists porn website, a pop up says please update flash. User clicks OK and downloads a .apk file. User has to go into options to allow side loading of apps and install the .apk he just downloaded. No shit bad stuff will happen.

Re:How do you like your lack of control now?

[Namarrgon]

Malware like this is possible because Android *does* offer you control, like sideloading. It's iOS that restricts control (and apparently many users need to be controlled for their own good).

Google can also nuke this shit, but only if its Play Services is installed. Most Chinese android devices are unassociated with Google, apart from using the AOSP codebase.

Re:

[Namarrgon]

Really? Can you link me to the the source page on AOSP [googlesource.com] where some of these spying APIs are defined?

Re:

[Namarrgon]

Which are not built into Android, and are certainly not part of the core OS.

Re:The fool and his money

[BarbaraHudson]

The latest versions, however, are distributed through drive-by download techniques, predominantly when visiting porn websites. Device owners are alerted that in order to view the videos on the site they need to update their Flash Player and an APK (Android application package) is offered for download.

Porn. Well, you wanted to see people getting f*cked, didn't you? Now take a selfie :-)

Never

[jodido]

This is why I don't and never will have a banking app on any mobile device.

Re:

[CastrTroy]

I do all my banking on a virtual machine on my desktop that I only use to visit the banking websites.

Re:Never

[sexconker]

I do all my banking at a bank.

Actually, I tried to, but half of the time they told me shit like "Nah, we can't do that at the bank, go online to do it." or "Nah, we're Bank of America and you need to call Banc of America, despite the fact that your card says Bank of America on it.". I closed my fucking accounts when they said they wouldn't block the repeated fraudulent ACH withdrawals from my checking account. They said they would block transactions from XYZ for a specific amount, $N, but XYZ was free to steal $N+1 or $100*N at any time.

I'd say that more than half of the insecurity and general fucked-upedness of banking in the US resides with the banks, not with the methods people access the banks. The fact that we're barely transitioning to chip-and-sign (not even chip-and-pin) is a great example of how little they care.

Re:Never

[ElectricHellKnight]

I do all my banking under my mattress.

Re: Never

[Anonymous Coward]

Found the masterbanker.

Re:

[DogDude]

Banking with banks is dumb unless you're ultra-rich. Everybody else should use credit unions.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[lhowaf]

You're right...and the chip-and-sign cards have nothing to do with security. It is just the banks shifting liability for fraud away from themselves and onto retailers.

Re:

[antdude]

How about on computer and in person? Same thing can happen. :P

Re:Never

[thegarbz]

I used to do it on my Windows 10 machine, but after advice here on Slashdot I now only do internet banking on an old vanilla Windows XP machine running IE6. I heard that Windows updates are bad, and antivirus products are worse so I have gone back to basics to keep me safe.

Re:

[sociocapitalist]

This is why I don't and never will have a banking app on any mobile device.

Unless paired with a physical token...?

Re:

[account_deleted]

Comment removed based on user account deletion

Thank God for updates ...

[Billly Gates]

... oh that is right I need to be vulnerable for a year because Samsung and the carriers want me to buy a new phone to be more secure

Re:

[mrchaotica]

Where can I get quick and consistent updates and a removable battery and micro-SD slot at the same time?

Re:

[JazzLad]

quick and consistent updates
removable battery
micro-SD slot

Pick 2.

unless one of them is quick and consistent updates, then pick 1

Re:

[Goaway]

Oh, so you're an Android user, then.

Luddites

[ThatsNotPudding]

Maybe they had a point. Every day has news of more and more hacking exploits and vulnerabilities and you can extrapolate how many more are still under wraps. On top of this, we now have proof all our governments (and most corporations) spy on us and yet still want even more access, resulting in true privacy becoming as precious and diminishing as potable water.

The boiled frogs are about done.