Android malware targets banks

Security researchers have detected malware that aims to steal login credentials from mobile banking applications provided by leading Australian and New Zealand banks.


The malware targets users of smartphones and other devices running the Android mobile operating system.


The researchers say the malware masquerades as Adobe Flash Player and can intercept SMS communications, compromising two-factor authentication processes many banks use to provide additional protection for customers.


The fake Adobe Flash Player application is available from suspect unofficial sources rather than the Google Play app store. The malware must be downloaded and installed on a device by a user.


The malware then asks the user for administrator rights before sending a list of applications on the Android handset to a remote server. Vulnerable mobile banking applications are then overlaid with a screen that requires the user to enter login credentials.


Once these credentials are entered, they are sent to a server to be captured and used by the criminals using the malware. The user cannot progress to the mobile banking application without entering valid credentials.


The malware also tries to obtain Google login credentials.


Australian banks targeted by the malware, described as Android/Spy/Agent.SI by security researchers ESET, include Westpac, Bendigo Bank, Commonwealth Bank, St George Bank, National Australia Bank, Bankwest, ME Bank and ANZ Bank.

Targeted New Zealand banks include ASB Bank and Bank of New Zealand, while some Turkish banks are also believed to have been attacked.


Staying safe

The researchers suggest two ways of removing the malware.


The first method is to disable administrator rights then uninstall the fake Flash Player.


Another method is to boot to Safe mode to stop third party applications loading or executing, then complete the uninstall process. More information is available at


Stay Smart Online recommends that users who suspect their phones are infected do not enter any login credentials and seek assistance from a technical expert to resolve the issue.


They should also advise their financial institutions and monitor their accounts closely for evidence of unusual activity. Further, they should consider amending login details for all online banking services.


11 March 2016.