The Android Bankosy malware steals banking OTPs

Security experts at Symantec detect a new strain of the Android Bankosy malware that steals passwords sent through voice calls generated by 2FA systems.

One-time passcodes, a crucial defense for online banking applications, are being intercepted by a malware program for Android, according to new research from Symantec.

One-time passcodes (OTPs) in two-factor authentication scheme are a valid defense for online banking applications, but not enough to ensure a total security for the bank customers.  A new strain of malware dubbed Android.Bankosy has been improved by its authors to capture one-time passcodes and elude the 2FA mechanisms implemented by online banking systems.

Experts at Symantec detected Bankosy in July 2014, the malware is designed to steal financial information from the victim’s machine.

In a classic two-factor authentication scheme, the one-time passcodes are sent to the bank users’ mobile via SMS or automated phone calls.

Many banking trojan in the wild are able to snoop on or intercept the incoming SMS containing the OTP, for this reason, many banks started delivering OTP through voice calls.

But, cyber thieves are smart guys and have found a way to devise this mechanism, implementing a call-forward mechanism.

The authors of the Bankosy trojan implemented a service code that allows to forward a call.  Many mobile operators in the Asia-Pacific use a service code in the format *21*[destination number]# to forward calls, dialing *21*1555215554# on a mobile device will set up unconditional call forwarding to the number 15555215554. To disable the call forwarding is necessary to use the service code #21#.

The Bankosy malware is able to forward calls delivering One-time passcodes to a number obtained from the C&C server, it also able to perform a number of actions that allows the malicious code to hide its presence, including disabling and enabling the silent mode during an incoming call.

“The malware starts a call intent with the destination number obtained from the C&C server to enable unconditional call forwarding on the target device. Figure 2 illustrates the cleaned up code responsible for accomplishing this functionality.” states a blog post published by Symantec.

“The back door also has support for disabling and enabling silent mode, in addition to locking the device, so that the victim is not alerted during an incoming call.

Once the unconditional call forwarding is set on the victim’s device, the attacker—who has already stolen the victim’s credentials (the first factor in two-factor authentication and authorization)—can then initiate a transaction. As part of the design, when the system demands the victim to enter the second factor (i.e., the authorization token sent through a voice call), the attacker will get the call through call forwarding and enter the second factor as well to complete the transaction.”

Once obtained the OTP the crooks can use it with the victim’s login credentials to take over the victim’s bank account.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Bankosy ,One-time passcodes)