Hackers have unleashed a new variant of Android malware that poses as a fake banking app to trick users into compliance, after which it locks users out of their smartphones and sets about emptying their accounts, while victims scramble to access their phones again. The malware is called Fanta SDK and has been around since December 2015.
Security firm Trend Micro identified the threat and noted that the hackers were sending victims emails in efforts to distribute their malware encased app. Trend Micro mobile threat analyst Jordan Pan said: "We acquired a sample of a fake banking app in Russia named Fanta SDK that is capable of changing the phone's password when the user tries to remove or deactivate the application's admin privileges. It also has a unique way of running its routine by waiting for certain commands before it launches its attack."
According to Trend Micro, users are first sent an email, which imitates the email address of the bank. The mail informs the victim of a new security update recently released on the banking app installed on their phone and urges them to update it. Users who have such banking apps installed are likely to follow instructions and download the fake app onto their phones.
However, once the fake app has been installed, victims are induced to grant the app administrative privileges. In the event administrative privileges are provided, the malware remains inactive until the user launches the fake app, at which point of time a pop-up on the app deploys phishing techniques to obtain the victim's bank credentials, while redirecting it to the legitimate app.
The malware then transfers the hacked bank credentials to cybercriminals, who in turn use them to make fake transactions. Fanta SDK also has an alarming failsafe technique to ensure its success. In case it perceives a threat, it locks the users out of their own smartphones. It does this by generating a random smartphone PIN, which it installs when users attempt to uninstall the fake app from their phones, thereby locking the device. The malware then, having detected that the jig is up, proceeds to empty the users' bank accounts. It may take days or even weeks for victims to get back into their phones.
Trend Micro noted that Fanta SDK shares similar modus operandi with the cybercriminals who launched Operation Emmental, which targeted customers of banks in Switzerland, Sweden and Austria in 2014.