Join

Enter Details

Comment on stories, receive email newsletters & alerts.

@
This is your permanent identity for Business Insider Australia
Your email must be valid for account activation
Minimum of 8 standard keyboard characters

Subscribe

Email newsletters but will contain a brief summary of our top stories and news alerts.

Forgotten Password

Enter Details


Back to log in

Thieves have made a huge malware play to steal Australian bank login details on Android phones

Photo: Shutterstock

A digital protection company has discovered that nearly all of Australia and New Zealand’s big banks are being targeted by malware on Android phones that can steal customers online banking details.

ESET released research today, showing malware known as Android/Spy.Agent.SI is able to steal login details by locking down a phone when you try to enter a bank’s app. From there, it will display a fake login screen for the bank and won’t let users leave that until they type in the details.

The thieves can then use the stolen credentials to log into a victim’s account and transfer money out of it.

This latest attack is incredibly sophisticated. After downloading apps infected with the malware, users agree to give the device administrator rights. This gives the malware a self-defence mechanism that prevents it from being uninstalled, as well as access to literally everything on a device, including the ability to hijack SMS messages.

It communicates with a remote server with a URL address that is regenerated every hour and information between the malware and server is sent every 25 seconds, including details such as model type, language and even the IMEI identification number (a phone’s ‘ID’). It then gathers the file names, searching for mobile banking apps and sends them back to the server.

Once it has worked out what banking apps are being used, it then overlays itself when the app is launched with an identical login screen that can’t be terminated until the login credentials are entered.

The malware can also be used to send thieves all the two-step verification text messages banks send to confirm the identity of someone logging in. It even deletes the text from a victim’s phone so they’re unaware of attempted logins. It can also steal Google account credentials used for email verification.

“This is a significant attack on the banking sector in Australia and New Zealand, and shouldn’t be taken lightly,” says Nick FitzGerald, Senior Research Fellow at ESET. “While 20 banking apps have been targeted so far, there’s a high possibility the e-criminals involved will further develop this malware to attack more banking apps in the future.”

“Mobile malware is becoming more common and complex. Smartphone and tablet users should be aware of the ramifications of entering personal information into potentially fake login screens.”

The full list of targeted banks include: Westpac, Bendigo Bank, Commonwealth Bank, St. George Bank, National Australia Bank, Bankwest, Me Bank, ANZ Bank, ASB Bank, Bank of New Zealand, Kiwibank, Wells Fargo, Halkbank, Yap Kredi Bank, VakfBank, Garanti Bank, Akbank, Finansbank, Türkiye Bankas and Ziraat Bankas.

Business Insider reached out to several Australian banks this morning, who said they’re looking into the issue and will get back to us. Westpac has since got back and said that they don’t have any evidence of their customers being impacted by the malware yet.

We’ll let you know what other banks say as soon as we can.

Follow Business Insider Australia on Facebook, Twitter, and LinkedIn