Android malware steals one-time passcodes, a crucial defense for online banking

“One-time passcodes, a crucial defense for online banking applications, are being intercepted by a malware program for Android, according to new research from Symantec,” Jeremy Kirk reports for IDG News Service.

“The malware, called Android.Bankosy, has been updated to intercept the codes, which are part of so-called two-factor authentication systems,” Kirk reports. “The malware also ‘has support for disabling and enabling silent mode in addition to locking the device so that the victim is not alerted during an incoming call,'” wrote Dinesh Venkatesan of Symantec in a blog post on Tuesday.”

Kirk reports. “The one-time passcode is used with the victim’s login credentials, which the attackers have presumably already obtained.”

Read more in the full article here.

MacDailyNews Take: Good thing you got two for one, settler. Good thing you’re a cheapskate, too. That’ll serve you well with your newly-emptied bank accounts. (smirk)

[Thanks to MacDailyNews Reader “eldernorm” for the heads up.]


    1. From the Symantec blog post:

      So how does Android.Bankosy take advantage of voice-based 2FA? Once the malware is installed on the victim’s device, it opens a back door, collects a list of system-specific information, and sends it to the command and control (C&C) server to register the device and then get a unique identifier for the infected device. If the registration is successful, it uses the received unique identifier to further communicate with the C&C server and receive commands. . . .

      More about Android.Bankosy is available here:

      1. I guess you don’t understand the importance of being able to actually INSTALL updates that fix security problems. Apple makes that trivial for products going back several years. Google is unable to make updates available to a large majority of Android users, since the carriers are in-between. The carriers often don’t even support updates for all phones sold in the past year, let alone older phones.

        So, it’s one thing to look at number of vulnerabilities that ever exist, and quite another to compare vulnerabilities that you cannot EVER fix.

      2. Spidwood, you are veering off into right field. First, no one even implied that iOS is invulnerable. They simply stated that Android is historically and demonstrably vulnerable. Second, if you introduce a vulnerability to an iPhone through jailbreaking software, then you cannot blame Apple or iOS or the iPhone. That is a user error. Once you modify the product, you own the problems.

        Honestly, do you expect us to see any validity in your post at all?

      3. I know it is easy to assume Apple fanatics are all defensive about Apple. But a lot of us here instead call out Apple and annoy them whenever they bungle and bumble, me included. Check out my summary article about Apple security in 2015:

        Apple Security In 2015, Sorry : Grateful

        Apple’s biggest, repeating problem with iOS security right now is their poor system of developer security certificates for Enterprise developers. I’ve predicted Apple will be shoved into a wall and MADE to change their system in 2016. It’s been abused far too many times already.

        As for Stagefright, it proved to be more than just a security hole. It’s many security holes and it has NOT been patched on a great many Android devices, specifically because of Android fragmentation, aka fragmandroid.

        And, don’t think Stagefright was the only security problem on Android this past year. Nope! I have a list of them if you’d like me to provide it. Google has a whopping mess on their hands and their ‘vetting’ of the Google Play store doesn’t appear to be of much benefit, as the topic of this thread makes evident. What’s extra annoying to Google is their ‘Project Zero’ finding security holes in everyone else’s software and missing so many in their own. What’s that about?

  1. The story is terribly written, and does not appear to explain whether this exploit only targets Android, or if it can be used against Apple iOS devices too, since NFC is wireless.

    1. Quote
      – “Android malware steals one-time passcodes”
      – “a malware program for Android”

      A program isn’t called ‘Android malware’ if it also targets iOS or Windows phone or any other system.
      Really stretching there, fella.

  2. The thieves have hardly gone for the bonanza, have they? It’s a well known fact that Fragmandroid settlers are notoriously cheap and (generally) unlikely to have much, if anything, in their little bank accounts.

    Mostly, one suspects, they keep their pennies in a jar in the kitchen.

    1. Well, would a thief rather try to steal a Kia parked in a driveway, or a Bentley locked in a garage, behind an iron gate with security cameras?

      If they have online banking apps on their androids, that means that there is something to manage with those apps. Even if it is as little $17.50, it is worth the hassle if you infect a million people.

  3. I wonder if the coders at Google ever learned to finish a job and test it. Android phones are continuing to have problems with this shit and now a recent update to Nest thermostats cause them to shut down your furnace when you don’t expect it–like when it cold outside.

    What a bunch of incompetent hacks!

  4. I need some explanation. Are they steeling one time passwords, which by definition are single use, as in useless after the fact or are they steeling the base password generation seed, so they now have access to all future passwords, before you even get to use them?

    Simply, could unregistering your device and re-registering your device, (assuming you cleaned it in between) resolve the issue, or simply you are dead in the water without hope of recovery?

    Certainly it is bad to have malware, but I don’t understand the star attraction other than, this is one more malware to add to the list. It’s like the gnomes came up with a good idea, but it was poorly executed – depending on the response.

    1. Here is how it works. The thief finds a way to obtain username and password for the banking app in question (either by installing malware on that phone, or by hacking the bank and getting user names and passwords for online access). Now, most banks are protected by the two-step authentication. When the thief logs into your bank (either through browser or mobile app), the bank’s back-end server initiates the second-step authentication by sending you a SMS (or making a phone call), delivering the one-time code to log in. This malware will intercept that SMS or phone call and redirect it to the thief, so that he can now complete the log in and empty your account.

        1. Ah, but don’t you remember, Obama wants to have a back door into your iPhone.

          How long before the hackers discover or develop the workaround to do that and NO BANKING SOFTWARE would be safe on the iPhone too.

          1. I simply will stop using computers. Or, maybe it doesn’t matter, because the back doors will be in the commercial sector and banking system anyways. I mean I never filed for a federal job, yet they gave up background information on me, they weren’t supposed to have, anyway.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.