The SpyEye hacking toolkit has added an Android component that collects the text messages some banks use as an extra security precaution, a researcher said today.
“The standard SpyEye now also entices a user to download an Android app, which is actually a component that’s Android-specific malware,” said Amit Klein, the chief technology officer of Boston-based Trusteer, a security firm that specializes in online anti-cybercrime defenses.
The Android app poses as a security program — ironically, one that’s supposed to protect a user’s text messages from being intercepted — required to use a bank’s online services from a mobile device.
Many banks now send customers a one-time code, usually a series of numbers, to their mobile phone. To access the account, a user must enter not only the traditional username and password, but also the just-received passcode. It’s that passcode that the bogus Android app intercepts and then re-transmits to a hacker-managed command-and-control (C&C) server, said Klein.