Researchers are warning that a new version of WannaLocker – essentially a mobile derivative of WannaCry ransomware – has been enhanced with spyware, remote access trojan and banking trojan capabilities.

Cybercriminals have been using the all-in-one malware package in a campaign targeting Brazilian banks and their Android mobile customers, according to a July 1 blog post from Avast, which is calling the malicious program WannaHydra. So far, targeted banks have included Santander, Itau and Banco do Brasil.

Avast Head of Mobile Threats and Security Nikolaos Chrysaidos, who discovered the malware, reported via his Twitter account that this new WannaLocker version appears to be a trifecta of the WannaLocker ransomware user interface, the AhMyth RAT program and custom banking malware. WannaLocker is also commonly known as SLocker.

“We believe this is the first sighting of this new mobile version of WannaLocker,” said Chrysaidos, as quoted by his company’s blog post. “It harvests text information, call logs, phone number[s] and credit card information, and if it takes off it could be a very serious issue.”

The likely attack vectors in this campaign are malicious links or third-party app stores, Avast reports.

“The banking Trojan works by showing users a fake interface and urging them to address an issue with their account by signing in,” Avast’s blog post states. “When they do, the malware collects a wide range of data, including the mobile manufacturer and other hardware information, call log, text messages, phone number, photos from front and back camera, contact list, GPS location and microphone audio data.”

After its installation, WannaHydra sends a bogus alert to users, warning of a problem with their bank accounts. When victims attempt to log in, they are actually entering their credentials into a fake overlay of the banking site and, in doing do, sending that information to the cybercriminals.

When it was originally discovered in 2017, WannaLocker targeted Chinese Android device users via gaming forums, encrypting their files on their infected devices’ external storage, and then delivering a ransom message. This version can display the same messaging in Portuguese, and has a corresponding an encryption component as well, but it “appears to still be in development,” Chrysaidos said.

“Hackers are becoming bolder and more shifty as they attempt to capitalize on previous attacks by combining them into a newer and more lethal attack,” said Will LaSala, director of security solutions and security evangelist at OneSpan in emailed comments. “Banks should be well aware of these individual attacks, but are probably [caught] off-guard by the new way they are being combined and used. It is important to continue to adjust our security methodologies, while maintaining what we have done in the past.”