/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsBANGALORE, INDIA: Trusteer researchers have discovered the first Tatanga-based man in the mobile (MITMO) attack as well as new SPITMO configurations which are targeting Android mobile banking users in Germany, the Netherlands, Portugal and Spain.
Andorid based mobile phones have a dominant 60 percent market share but plagued with a reputation for weak app security. There is no surprise why the financial malware is targeting Android devices, according to the research firm.
ALSO READ: Malware infection forces Android to pull-down applications
Researcher Amit Klein's blog says "Like previous attacks, both the SPITMO and Tatanga MITMO variants target Windows users on the web and use a web injection in the desktop browser to lure them into installing a fake security application on their phones. The fraudsters claim this application is required by the bank as a new layer of protection, and that 15 million bank customers around the world are already using it."
The researcher further pointed out that the victims are asked to choose the device’s operating system from the following list:
iOS (iPhone)
BlackBerry
Android (Samsung, HTC, etc.)
Symbian (Nokia)
other
In most attacks, if the victim is using an operating system other than Android the malware informs the user that no further action is required. However, for all Android users, the desktop component of the MITMO attack requests the victim’s phone number and notifies them that a link for downloading the security application has been sent (via SMS) to their mobile device. The user is directed to install the fake application from this link and enter the activation code provided by the malware. Certain attacks also request that BlackBerry users download the application, but it does not actually install on these devices.
Once installed, the mobile malware captures all SMS traffic, including transaction authorization codes sent by the bank to the victim via SMS, and forwards them to the fraudsters. This enables the criminals to initiate fraudulent transfers and capture the security codes needed to bypass SMS-based out-of-band authorization systems used by many European banks.
The attackers use different social engineering tricks in each country to lure victims into downloading the fake application, including URLs with the words “secure” and “Android files” with a .com domain name.
Trusteer investigated the registration information for these URLs, which were located in China and the US. They were registered in June just prior to the initial attacks. All URLs are inactive at this moment.
Both Tatanga and SpyEye use the same Android application in this attack, the Trusteer blog post said.