The antivirus company ESET announced that a new banking Trojan had been detected by its specialists, which managed to penetrate Google Play. The malware disguises itself as the Crypto Monitor and StorySaver cryptocurrency monitoring app, a tool for downloading stories from Instagram.
The first of these malicious applications, Crypto Monitor, was uploaded to Google Play on November 25 by the developer walltestudio. The second – StorySaver from developer kirillsamsonov45 – appeared on November 29th. Apps received a total of 1,000-5,000 downloads and were removed on December 4 following a warning from ESET.
Malicious applications support the declared functions, but, in addition, they can display their own messages on the screen, steal logins and passwords of a mobile bank and intercept SMS used for two-factor authentication.
Once launched and installed, the Trojan compares the programs installed on the device with its own list of banking mobile applications. This version of the malware targets 14 applications of Polish banks.
Upon detecting a target application on the device, the Trojan displays a fake mobile bank login and password entry form. This happens without user intervention, or after the victim opens a 'message from the bank', which also displays the trojan. The entered data will be sent to the attacker and used for unauthorized access to the victim's bank account.