Android Banking Trojan SpyLocker Threatens to Steal Your Data

Android is the most popular mobile operating system that is believed to have close to 2 billion users all around the world, which is why malware developers and distributors are working hard to exploit every single Android vulnerability there is. Android Banking Trojan SpyLocker is a serious infection that can threaten any user whose Android device is not secured properly. Because most Android devices come with antivirus software pre-installed, the volume of infections is smaller than, for example, in the Windows operating system. Despite this, antivirus tools expire, users fail to install necessary security updates, and malware developers create new, more aggressive, and more complicated infections. This has opened a window for the devious Android Banking Trojan SpyLocker to sweep over the Android platform like a tsunami. The worst part is that it is silent, and most users do not even realize that it is active on their devices.

The devious Android SpyLocker is extremely similar to Police Locker, an infection that was threatening Android systems back in 2014. The chances are that both of these threats were created by the same malicious developer, and this is bad news as, in this case, the developer must have good knowledge of malware and how to make it as successful as possible. According to the most recent data, Android Banking Trojan SpyLocker has been updated since its first version. This first version was spread using the disguise of an Adobe Flash Player, and it was targeted at Android users who were using online banking services in Australia, New Zealand, and Turkey. Unfortunately, the latest upgrade has helped this devious infection to spread faster and wider, and it now found terrorizing those using online banking services in Europe as well. The main function of this threat is to record debit/credit card data; however, it has other functions as well.

Although Android Banking Trojan SpyLocker continues using the good name of Adobe Flash Player to spread itself, it was found that this threat has also started spreading via corrupted WordPress and Joomla websites, as well as websites with pornographic content. The threat might be represented as a porn player, and if the user lands on a page representing it, a drive-by download file called “pornvideo.apk” is downloaded automatically without any notice. Once installed, this piece is either represented with a Flash icon or an Android Update icon, which makes it inconspicuous. Once opened, the malicious infection is executed, and the icon disappears automatically. Right from the beginning, SpyLocker displays messages asking to activate administration rights. If these are provided, the malicious infection can take over the device, and this could lead to various security problems. For one, users might face virtual identity theft, and their devices could be used to spread malware. Furthermore, once the device is corrupted, it becomes extremely difficult to remove SpyLocker, and this is extremely important. Here is the message displayed by this Trojan.

Activate device administration?
Flash Player
Activating this administrator will allow the app Flash Player to perform the following operations […]

The clandestine Android Banking Trojan SpyLocker was created to record banking and financial data, and it achieves that using overlays. Using this method, the infection can automatically apply fake versions of the forms that you are likely to associate with your banking apps. This allows cyber criminals to record full names, card numbers, expiration dates, CVC/CVV codes, pin codes, telephone numbers, and other sensitive data. Once this data is collected, it is automatically transmitted to remote servers where it can be reached by malicious parties who could use it to perform illicit activity (e.g., perform illegal transactions). In the same way, using overlays, the developers of SpyLocker can trick users into providing login when they interact with Google apps (e.g., YouTube), eBay, Instagram, and similar apps.

Misleading overlays have been created for banking services associated with these banks and banking systems:

• BankWest, Bendigo, NAB, NetBank, St.George, Westpac (Australia)
• Banque Populaire, BNP Paribas, Credit Agricole, LCL (France)
• ANZ, ASB, BNZ, Kiwibank, Westpac (New Zealand)
• Asseco, ING, mBank, Pekao, PKO, Raiffeisen (Poland)
• Alfa-Bank, Bankuralsib, Sberbank Mobile Banking, VTB24 (Russia)
• Akbank, Finansbank, GarantiBank, TEB, Ziraat, YKB (Turkey)
• Barclays, Santander, NatWest (United Kingdom)

Besides collecting data, SpyLocker also intercepts SMS messages, reads call/SMS history, and monitors the apps installed on the corrupted device. In general, this threat silently takes control of the Android device to record and leak as much personal data as possible. If users detect this threat and attempt disabling it, SpyLocker automatically locks their devices to stop them. The only way to stop this infection is using a strong antivirus tool. Hopefully, this infection will not disable access to the Google Play store, will not stop the installation of antivirus apps, and will not recognize them as they initiate removal. When it comes to protecting Android devices from this malware, the first step is employing trusted security software. Users should also be careful when downloading unfamiliar apps or even apps that look familiar but are spread by unfamiliar parties or via unreliable sites. Opening unfamiliar apps and files on the device is dangerous as well. Overall, as long as users are careful and use the right antivirus tools, they will not need to fear the attacks of such threats as the SpyLocker Trojan.