The token generator is a fake and used to convince the victim they are setting up a secure connection with their bank.
The token generator is a fake and used to convince the victim they are setting up a secure connection with their bank.

Cybercriminals have updated a two-year old banking app scam that grabs control of a victim's smartphone, locks them out and then drains their bank account while the person struggles to regain control of their device.

The original attack that was uncovered by Trend Micro, called Operation Emmental, has been improved to enable malicious actors to now use SMS to issue commands that lets them control the hacked phone in real time. These commands include resetting passwords and locking the phone. The original version, after being installed, intercepted an SMS between the phone and the victim's bank, reset the phone so its banking app pointed to a site that emulated the bank's, then installed a bogus token generator that helped steal banking login credentials.

Although the new version retains several elements of the original, using spam messages to con the victim into downloading the malware and a fake token generator, the new twist is the malware intercepts incoming texts, checks to see if they are from the command and control server and if so carry out the command in real time before the victim has a chance to understand what is happening.

Richard Tai, a mobile threat analyst with Trend Micro, said in a blog the attacker can lock and unlock the phone at will, perhaps locking it long enough to keep the person busy while their bank account is hacked.

“The malware communicates to specific URLs or phone numbers without the user's awareness or consent. Depending on the attacker's preference, the malicious app can send messages to these destinations in real-time via SMS, or at a later time via an internet connection,” Tai said.

Once the malware is on the phone and activated it also runs a series of background operations for the attackers”

  • Download and parse the configuration file
  • Check to make sure the pre-set URLs of C&C servers are usable
  • Create communication line between the affected phone and a remote user through Blowfish algorithm
  • Send out stored SMS