Critical Apple iOS and OS X flaws
Researchers have uncovered a banking trojan that can take over sensitive banking SMS messages to steal users financial details and money iStock

Security researchers have discovered a mobile malware strain that can intercept users' sensitive SMS messages to steal their banking details and funds. According to Trend Micro researchers, the malware dubbed "FakeBank" has been spotted in several SMS/MMS management software apps and primarily targets victims in Russia and other Russian-speaking countries.

"These advertised SMS management capabilities are turned against the victim. The malware intercepts SMS in a scheme to steal funds from infected users through their mobile banking systems," Trend Micro said in a blog post published on Wednesday (10 January).

The researchers have observed the malware targeting customers of numerous Russian financial institutions such as Sberbank, Leto Bank and VTB24 Bank. It has also been spotted in China, Ukraine, Romania and Germany among other countries.

Once installed on an infected phone, the malware replaces the default SMS management programme on the device, replaces it with its own and hides the icon. This allows the malicious software to monitor and analyse every SMS received and even delete messages.

"This means that any verification or query from the bank to the user can be intercepted and removed. It can even call an assigned phone number, send specified SMS, and steal call logs and contact lists," the researchers said. "Most significantly, all this access to the device's SMS gives the malware an avenue to silently steal money from users' bank account."

Besides controlling the device's open and close network function, the malicious app can quietly connect to the internet and send the stolen information to its command and control server (C&C) without the user's knowledge.

Since many users link their bank accounts to their phones and opt to receive text notifications, the malware can take over these messages to steal sensitive bank account information, such as security code messages. Threat actors can then use the stolen data to log in to victims' online banking accounts, reset the passwords and covertly transfer money to their own accounts.

FakeBank can also steal sensitive information from the device including users' phone numbers, a list of banking apps installed, the balance on a linked bank card and location data. The researchers observed some samples of the malware requesting admin privileges from the user, therefore allowing the malicious app further access to the compromised device.

fakebank malware
After the malware is installed, the icon appears on the device screen and requests admin privileges from the user Trend Micro

"FakeBank also stops the user from opening the target bank's legitimate app, to prevent any modifications to the relationship between the bank card number and your phone number," the researchers said. "We can assume that the malware developer is very familiar with the bank message format and transfer process, as all the payment SMS notifications are noted and scrambled by C&C."

To ensure it carries out its malicious activities successfully, the malware prevents users from opening device settings "likely to prevent installation", the researchers said. It also inspects the device for any anti-virus software and quietly exits without doing anything if it does find one.

"This is a tactic that helps it remain unreported and under the radar," Trend Micro explains. "One of the notable elements of this malware is the way it hides its payload. The malware has different behaviours that make it harder for infected users to get rid of it, and for security solutions to detect it.

"It actually uses three different methods to obfuscate the malicious payload. The techniques range in complexity and the developers seem to be taking a multilayered approach to avoid exposure."

Most of FakeBank's C&C domains have IP addresses located in Warmia-Masuria province in Poland and Russia, the researchers said. They also noted that most of these addresses are registered by a company called Wuxi Yilian which has previously been linked to other fraudulent domains.