Malware "Spy.Banker "Attacks Czech Banks

Czech banks are under Malware attack again. To be more specific, their clients are. Using the already proven strategy, a Trojan horse called Android/Spy.Banker.AKJ delivers malicious payload using a trojanized application called Blockers Call 2019. The goal of this malware is to trick the user and perform a fraudulent transaction on their behalf.

Ten-thousand Users Endangered

As said above, this attack aims specifically at customers of several Czech banks, which have installed an application called Blockers Call 2019 (com.callblocker.adroid) from Google Play. Application, which was an initially a useful tool for blocking unwanted phone calls, has been trojanized.

It is simillar the technique we have witnessed in the QRecorder case a few months ago. After uploading, Spy.Banker.AKJ (sometimes called Android/Spy.Banker.AGQ) requests a raise of permissions for drawing overlay and reading SMS first. Then it scans for applications, which can be compromised and waits for the legitimate baking app to start. When it starts, a fake login screen appears with overlaid inputs to lure credentials and OTP SMS. If the user is not cautious enough, they will surrender both factors of authentication needed to perform the transaction.

Actually, this situation is not new, there are lots of other cases with compromised applications in Google repository recently. Despite Google trying to detect malicious code and fight back, Android/Spy.Banker.AKJ was downloaded ten thousand times before it was pulled down from Google Play Store.

What You Can Do – ThreatMark

Even for a careful customer, reading reviews on Google Play will not help. The application had perfect reviews and ratings from the past. Users can get suspicious when the updated application requests new and strange permissions, but that is the only clue. This transferred the responsibility to the banks.

With ThreatMark the banks have the opportunity to avoid this situation in the future – if embedded into native banking application our dedicated SDK library can constantly check the installed applications on the client’s devices for suspicious permissions requests. Also, whenever the application is classified as malicious from public libraries, our SDK library will know instantly about it and will raise a red flag. This approach allows the bank to react to this type of attack in no time. Moreover, the fraudster has to eventually open the application (regardless of the channel they use), and that is where ThreatMark’s Deep Behavior Profiling comes in, recognizing the user, based on hundreds of typical indicators, distinguishing the legitimate user from a fraudster.

Lukáš Jakubíček

Pre-Sales Consultant

Working for ThreatMark allows me to use my diverse set of technical and interpersonal skills I have developed for over 10 years working in the IT & Online Marketing Industry. Writing about cyber threats is only one of my duties, most of the time my colleagues and I assist and help our clients to find new and better ways on how to efficiently fight against the online fraud.

Connect me on LinkedIn Send me an e-mail

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.