Analysis Summary

The Transport and Communications Agency (Traficom) in Finland has warned about an ongoing Android malware campaign targeting online bank accounts through smishing (SMS phishing) techniques.

Victims receive SMS messages in Finnish, appearing to come from banks or payment service providers like MobilePay, instructing them to call a specified number for assistance. Scammers posing as representatives then direct victims to install what they claim to be a McAfee app for protection against threats. However, this "McAfee app" is malware designed to compromise the victim's bank account.

The deceptive SMS messages use spoofing technology to appear to originate from domestic telecom operators or local networks, adding to their credibility. The scam specifically targets Android devices with the malicious APK (Android application package) hosted outside the official app store. Once installed, the malware allows threat actors to gain unauthorized access to victims' bank accounts, potentially leading to financial losses.

Authorities suspect the involvement of a variant of the Vultur trojan based on similarities with recent attacks reported by security analysts. The Vultur trojan employs hybrid smishing and phone call tactics to persuade targets into downloading a counterfeit McAfee Security app which delivers its malicious payload in stages to evade detection. Notable features of this trojan include extensive file manipulation capabilities, misuse of Accessibility Services, app blocking, Keyguard disabling, and custom status bar notifications.

To mitigate the impact of this malware, affected individuals are advised to contact their bank immediately for protection measures and perform a factory reset on their infected Android devices to remove all data and applications. Financial institutions like OP Financial Group emphasize that they do not request sensitive information over the phone or instruct customers to install specific apps for payment purposes. Instead, suspicious requests should be reported promptly to the bank's customer service and law enforcement.

Users are reminded to keep Android's built-in anti-malware tool, Play Protect, active to automatically safeguard against known versions of the Vultur trojan and other threats. This incident underscores the importance of vigilance against smishing attacks and the critical need for user education on recognizing and responding to such fraudulent tactics to prevent financial fraud and data breaches.

Impact

• Financial Loss
• Unauthorized Access
• Identity Theft
• File Manipulation

Remediation

• Be vigilant when downloading software and double-check the URL to see if it is legitimate.
• Never download software from untrusted sources.
• Download apps only from official app stores like Google Play Store or Apple App Store. Avoid downloading apps from third-party websites or unofficial sources.
• Review the permissions requested by apps before installing them. Be cautious of apps that request unnecessary permissions or access to sensitive data.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Keep your operating system and apps up-to-date with the latest security patches and updates
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Be cautious of unsolicited messages, emails, or links, especially from unknown or suspicious sources. Avoid clicking on suspicious links or downloading attachments from untrusted sources.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Regularly backup your data to a secure location, such as a cloud storage service or external hard drive.
• Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Test the plan through simulations to ensure its effectiveness.