A fake Android banking app found on Google Play was exfiltrating device identifiers, SMS messages, and phone numbers to its command-and-control (C&C) server, as discovered by Trend Micro's Echo Duan.
The mobile threat response engineer, "found this malicious app on Google Play on October 22, as part of a SMiShing scheme targeting Spanish-speaking users."
The Movil Secure Android app was camouflaging as a legitimate mobile token utility (used for transaction authorization and identity management) for the popular Banco Bilbao Vizcaya Argentaria (BBVA) Spanish banking group, featuring high-quality branding and professional grade UI design.
These type of attacks are increasingly popular among threat actors given that more and more Android users are installing banking apps on their devices to simplify banking their day to day operations.
"We also found three other similar fake apps under the same developer. Google has already confirmed that these apps have been removed from Google Play," said Duan.
According to Duan's analysis, the Movil Secure was initially added to the Google Play store on October 19, and it was installed over 100 times during the six days it was online.
Although Movil Secure was designed to lure users by taking advantage of BVVA’s popularity and well-known pro-technology approach, on closer inspection it didn't provide any of the tools and features it advertised in the Google Play entry.
Data collected by the fake Movil Secure banking app already being used in an ongoing SMiShing campaign
Once installed and launched on an Android device, the fake mobile token Movil Secure app hides by removing its icon from the screen and will collect a number of device identifiers (i.e., device ID, OS version, and Country Code) which it will then send to its C&C server and a phone number hardcoded in the device identifier collection function.
In addition, the fake banking app also exfiltrates phone numbers and SMS messages, with a possible goal of collecting all the data and using it in a later SMiShing campaign which might have already been started seeing that there are reports of people who installed this app and have been scammed afterward.
The developer behind the Movil Secure app also published three other fake banking apps: "Evo and Bankia are popular Spanish banks, while Compte de Credit isn’t connected to any large financial institution," said the Trend Micro researcher.
Moreover, "These three apps were published on October 19, the same time as Movil Secure. Analysis revealed that the apps have the same routine as Movil Secure — collect identifiers and SMS data, then send to the C&C server."
This is not a new attack vector seeing that fake and malicious finance apps have been found in the official Android app store before, as well as even more dangerous apps bundling Android Trojans capable of adapting to their masters' needs.
Furthermore, as unveiled by a very recent report, around 3,2 million Android malware samples have been identified by G DATA's research team up until the end of September 2018, with an impressive increase of approximately 40% relative to the same period tracked in 2017.