Experts have detected one of the most dangerous Android banking malware. The Acecard malware is capable of attacking users of nearly 50 different online financial applications and services and is able to bypass the Google Play store’s security measures.
Last year, cyber security experts detected the malware after an unusual increase in the number of mobile banking attacks in Australia and its environs.
The Acecard Trojan family uses almost all the malware functionality currently available – from stealing a bank’s text and voice messages to overlaying official app windows with false messages that simulate the official login page in an attempt to steal personal information and account details. The most recent versions of the Acecard family can attack the client applications of some 30 banks and payment systems. Considering that these Trojans are capable of overlaying any application upon command, the overall number of attacked financial applications may be much higher.
The malware can also attack: IM services: WhatsApp, Viber, Instagram, Skype; Social networks: VKontakte, Odnoklassniki, Facebook, Twitter; the Gmail client; The PayPal mobile app;Google Play and Google Music applications.
The malware was first detected in February 2014, but for a long period it showed almost no signs of malicious activity. Everything changed in 2015 when Kaspersky Lab researchers detected a spike in attacks: in the period May to December 2015, more than 6,000 users were attacked with this Trojan. Most of them were living in Russia, Australia, Germany, Austria and France.
During the two years of observation, Kaspersky Lab researchers witnessed the active development of the Trojan. They registered more than 10 new versions of the malware, each with a far longer list of malicious functions than the previous one.
Mobile devices were usually infected after downloading a malicious application masquerading as a legitimate one. Acecard versions are typically distributed as Flash Player or PornoVideo, although other names are sometimes used in a bid to imitate useful and popular software.
However, this is not the only way this malware is distributed. On 28 December 2015, security experts were able to spot a version of the Acecard downloader Trojan – Trojan-Downloader.AndroidOS.Acecard.b – in the official Google Play store. The Trojan propagates under the guise of a game. When the malware is installed from Google Play, the user will only see an Adobe Flash Player icon on the desktop screen and no actual sign of the installed application.