Pierluigi Paganini
May 06, 2024
Traficom, Finland’s Transport and Communications Agency, issued a warning regarding a current Android malware campaign aimed at bank accounts.
Traficom reported that clients of multiple banks received text messages in the Finnish language that instruct recipients to call a service number, from which the bank user is directed to install malware on the Android device. Threat actors used a phone number that seems to be the number of a domestic telecom operator or a local network.
The text messages purportedly from various companies, claiming debt collection or unusual account activity. The messages urge recipients to call a specified service number. Upon calling, recipients are warned of potential fraud and recommended to secure their device by downloading an antivirus software. Then the victims receive a follow-up text message containing a link to a security software which is actually malware disguised as McAfee antivirus. Once installed, the malware grants access to the victim’s applications and messages, including online banking, allowing crooks to steal funds from the victim’s online bank.
“According to reports received by the Cyber Security Center, targets have been advised to download the McAfee application. The download link offers the installation of an .apk application intended for Android devices that can be downloaded from outside the application store.” reads the alert published by the Traficom. “However, it is not an anti-virus software, but a malware that can be installed on the phone. With the help of the malware, the criminal can access the phone’s applications and messages, including online banking. The criminal uses malware to steal money from the victim’s online bank.”
The alert remarks that banks or authorities do not call the customer and ask to hand over online service credentials, make payments, or install applications from outside the app store on the device.
The ongoing campaign is only targeting Android users, Traficom is not aware of attacks against iPhone users.
Below is the list of recommended actions for those recipients who have installed the malware:
1. Contact your bank. If you used a banking application or processed credit card information on an infected device, contact your bank immediately to limit the damage.
2. Reset the device to factory settings. When restoring from a backup, you must ensure that a backup that was created before the malware was installed is restored to the device. In some cases, restoring to factory settings may not be possible. If restoring to factory settings does not work, we recommend contacting the seller of the device.
3. Protect your user account. Change passwords for services you’ve used on your device. The malware may have stolen your password if you have logged into the service after installing the malware.
4. File a criminal report with the police. File a criminal complaint about financial losses.
The Finnish OP Financial Group also issued an alert about the ongoing Android malware campaign.
“Criminals send text messages in the name of companies urging them to call the service number immediately. If you call the given number and click on the link received via text message during the call, the criminal can install malware on the phone.” reads the alert.
Both Traficom and OP Financial Group haven’t shared technical details about the malware family that targeted the bank users.
Google has previously confirmed to BleepingComputer that Android’s in-built anti-malware tool, Play Protect, automatically protects against known versions of Vultur, so keeping it active at all times is crucial.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Android malware)
