Anti-virus company ESET warned about the growth activity of Android / Spy.Banker.F – Mobile Trojan of Russian origin.
The first samples of Android / Spy.Banker, designed to steal online banking information, have been discovered at the end of 2013. Version Android / Spy.Banker.F shows steady growth in the number of detections since the start of 2014 with a peak of activity in February 2015. This modification of malicious software up to 68% of the samples revealed the family.
Android / Spy.Banker.F focused on Russian-speaking users – up to 98% of infections are in Russia, 0.76 and 0.21%, respectively – Ukraine and Belarus. However, some samples were distributed through the Colombian and Chilean websites.
Infection occurs when Android-user visits one of the infected sites. On his smartphone or tablet loaded ARC file called «Anketa», and then in the main menu of the device appears “Installation».
When the user starts the application, it shall seek permission of the administrator under the pretext of data encryption (it supported version of Android 3.0 and above). Through administrator rights installed Android / Spy.Banker.F prevent its removal from the system.
After installing the Trojan sends a remote server phone number, IMEI infected device, a country version of Android, and other data. Functionality Android / Spy.Banker.F allows attackers to usernames and passwords for online banking, remotely control the infected device and install other malicious programs.
When a user opens Google Play, the Trojan displays a form for entering data bank card. Users can mix window with a legitimate request or enter authentication data to get rid of pop-ups.