Czech banks are under Malware attack again. To be more specific, their clients are. Using the already proven strategy, a Trojan horse called Android/Spy.Banker.AKJ delivers malicious payload using a trojanized application called Blockers Call 2019. The goal of this malware is to trick the user and perform a fraudulent transaction on their behalf.
Ten-thousand Users Endangered
As said above, this attack aims specifically at customers of several Czech banks, which have installed an application called Blockers Call 2019 (com.callblocker.adroid) from Google Play. Application, which was an initially a useful tool for blocking unwanted phone calls, has been trojanized.
It is simillar the technique we have witnessed in the QRecorder case a few months ago. After uploading, Spy.Banker.AKJ (sometimes called Android/Spy.Banker.AGQ) requests a raise of permissions for drawing overlay and reading SMS first. Then it scans for applications, which can be compromised and waits for the legitimate baking app to start. When it starts, a fake login screen appears with overlaid inputs to lure credentials and OTP SMS. If the user is not cautious enough, they will surrender both factors of authentication needed to perform the transaction.
Actually, this situation is not new, there are lots of other cases with compromised applications in Google repository recently. Despite Google trying to detect malicious code and fight back, Android/Spy.Banker.AKJ was downloaded ten thousand times before it was pulled down from Google Play Store.

What You Can Do – ThreatMark
Even for a careful customer, reading reviews on Google Play will not help. The application had perfect reviews and ratings from the past. Users can get suspicious when the updated application requests new and strange permissions, but that is the only clue. This transferred the responsibility to the banks.
With ThreatMark the banks have the opportunity to avoid this situation in the future – if embedded into native banking application our dedicated SDK library can constantly check the installed applications on the client’s devices for suspicious permissions requests. Also, whenever the application is classified as malicious from public libraries, our SDK library will know instantly about it and will raise a red flag. This approach allows the bank to react to this type of attack in no time. Moreover, the fraudster has to eventually open the application (regardless of the channel they use), and that is where ThreatMark’s Deep Behavior Profiling comes in, recognizing the user, based on hundreds of typical indicators, distinguishing the legitimate user from a fraudster.
Lukáš Jakubíček
