Skip to content

SophosLabs: Android malware intercepts SMS messages to steal mobile banking codes

AndroidMobile malware attacking Android devices is growing at an incredible rate, and our SophosLabs researchers have seen more than 650,000 individual pieces of malware for Android. Some of the most devious of these malware are designed to go after your bank accounts.

One of our SophosLabs researchers, Anna Szalay, made an interesting discovery recently: a new type of Android malware that slips in through a security hole in the USB debugging feature that allows developers to modify their Android devices. Naked Security expert Paul “Duck” Ducklin reports that this malware can intercept your SMS text messages to steal two-factor authentication codes.

Duck explains in his post that intercepting SMSes from your Android phone allows the attackers to steal the codes they can use to access, for example, your email accounts or bank accounts:

The crooks want to infect you with malware that knows how to intercept incoming SMSes and redirect their content elsewhere. You can see where this is going: mobile malware that reads your SMSes before you do can steal important data such as the two-factor authentication (2FA) codes sent by your email provider or your bank, giving cybercriminals a way into your account despite the extra layer of protection in place.

SophosLabs detects this SMS-stealing malware as Andr/FakeKRB-H. As Duck explains, this malware gets onto your Android in a multi-step process that starts with your device getting infected by a crafty piece of Windows malware that sneaks in through the USB connection between your Android and a PC. This “helper” malware is a downloader detected by SophosLabs as Troj/DwnlAPK-A.

If you connect your Android to a PC infected by Troj/DwnlAPK-A, the malware sneaks in under the guise of files that “appear to be regular, clean files that enable full USB-to-phone connectivity on Samsung and LG devices,” Duck writes.

Then, once the downloader is installed, it loads the SMS-stealing Android malware onto your device in what appears to be an app disguised as a Google-imitating “Google App Store” (the real Google store is simply called “Play Store”).

This is a good reminder that the bad guys continue to develop inventive ways of compromising our security to get at our most valuable data. Read the article at Naked Security to learn more about this malware and how to block it with security settings on your Android.

To learn more about Android malware, you should also check out our infographic explaining how cybercriminals can use your hacked mobile device to steal your data, your identity, and your money. Plus, read our quick tips to avoid malicious Android apps.

Androidmalwaregoogleappstore-500
Android malware Andr/FakeKRB-H installs itself as a fake “Google App Store” app.

Sophos Mobile Security for Android

To block malware threats to Android, get our free Android antivirus app, Sophos Mobile Security. It’s a robust yet lightweight app that protects your Android devices without compromising performance or battery life. Using up-to-the-minute intelligence from SophosLabs, it automatically scans apps as you install them. Other features include a privacy advisor, encryption, and per-app password protection that you can set up for sensitive apps like your email.

We’ve received several awards and many great reviews for Sophos Mobile Security, which has been downloaded more than 100,000 times from Google Play.

2 Comments

Leave a Reply to SophosLabs report explores mobile security threat trends, reveals explosive growth in Android malware | Sophos Blog Cancel reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!