FireEye researchers have spotted in the wild a new version of the RuMMS malware family that is attacking people in Russia using a SMS text message phishing, or smishing, scheme to steal personal and banking data from the phone.

An attack starts with the victim receiving what appears to be an innocuous text containing a malicious link that when clicked downloads RuMMS malware. The first RuMMS infection was observed in January 2016, but on April 3 FireEye noticed new samples emerging.

After establishing itself on the device, the RuMMS app requests admin privileges and runs hidden in the background. It then connects to its command and control server and begins sending texts containing banking information, redirecting incoming texts to the remote server, sending its own texts to phone numbers found on the device and forwarding incoming calls to intercept voice-based two-factor authorization requests.