Mobile Trojan Virus Android.Bankosy Intercepts One-Time Passwords

Posted By Denis Shokotko on Feb 8, 2016 | 5 comments

We store a lot of important information in the network: personal correspondence, photos, documents. For the most part, these are spiritual values – precious memories and the fruits of hours-long labor. But the Internet also stores rather concrete financial ‘matters’: our money.

Today many people use online banking, as it is convenient to transfer funds, to pay for the services, and to control your accounts online. It is no wonder that the fraudsters of all sorts pay special attention to the bank online resources and tirelessly attack them, constantly coming up with something new.

Not so long ago, a new version of the mobile trojan called Android.Bankosy was discovered.

What is dangerous in the trojan virus Android.Banksy

This virus intercepts one-time passwords used in banking applications for two-factor authentication (2FA).

A temporary OTP passwords used for the two-step authentication of the user are often sent via the text messages. Earlier, different versions of the banking trojan viruses, with Android.Bankosy being among them, have learned to intercept the authentication code sent this way.

In response to this threat, the cyber security specialists have developed and introduced systems that send one-time passwords via voice calls from the bank.

It seems that a reliable data protection was ensured. But as it has turned out even an advanced one-time passwords delivery means are not a barrier for hackers. The creators of the mobile trojan virus Android.Bankosy taught it to overcome this new type of protection. The current version of this virus is capable of intercepting calls from the bank server. Moreover, Android.Bankosy can turn off the sound on your phone, and lock the device’s screen if there is a call from the bank number. Thus, the client even won’t find out he received a code, and the fraudsters will carry out further actions on the account on behalf of the client.

How to protect data from the banking trojan Android.Bankosy

What can a regular user of online banking oppose to the hackers armed with the most modern tools? As is known, the best tools are usually the simplest. But sometimes we either forget or are too lazy to use them. Perhaps, considering them not effective enough. But they work. And work quite reliably.

1. Keep your smartphone secure from viruses.

To get the control over the victim’s phone, the trojan virus should, first of all, penetrate in it. This can be done in a standard for all viruses way: as part of a harmless and even useful application. The official stores carefully control their software. The applications they offer are rarely infected with viruses. Thus, we must resist the temptation, and do not download programs from the doubtful websites. This is especially true for the charged software. Do not forget about free cheese in a mousetrap. If you install the virus like the Android.Bankosy on your gadget, you can lose a lot more money than you need to buy the app you liked.

2. Use strong authentication.

The example of the virus Android.Bankosy proves that even 2-factor authentication cannot always protect you from the intruders. Indeed, the familiar methods of obtaining OTP passwords via text messages (and even voice calls) are not completely reliable.

That happens because modern hackers are able to get into the mobile phone network and transfer the call in the desired direction. Telephone communication channels are usually open and the information is transferred via them in an unencrypted form.

Another thing is the OTP token. Of course, a hardware one-time password generator is not free. But it provides a serious level of protection. It works autonomously from the Internet and telephone networks. And thus, fraudsters won’t manage to infect your device with the virus.

An alternative to a paid hardware token is an application for smartphone – a software OTP token. For example, Protectimus SMART by Protectimus is absolutely free, but at the same time, able to provide a high-level of security during the two-way authentication. The data signature function contributes to its reliability greatly. One-time passwords are generated on the basis of the key parameters of a particular transfer such as the sum of transferred money, the IP-address of the sender, the time of operation or a current account balance.

Although the application is installed on the smartphone, which may already be infected with viruses, a CWYS function (data signature) will make the intercepted password useless for fraudsters as the data of their fake transaction, of course, will be quite different from that real used when creating the password.