Incident Response, Malware, TDR

‘KorBanker’ steals SMS messages, takes authentication codes in the process

For a year, Android users have been the target of malware known as “KorBanker,” which now steals SMS messages, including sensitive information contained in texts, like verification codes and location data.

According to FireEye, which discovered KorBanker and tracked its evolution, the threat has primarily infected devices in Korea. In just under two months, attackers stole 10,000 SMS messages from 96 devices, the firm revealed in a Wednesday blog post.

In an interview with, FireEye malware researcher Hitesh Dharmdasani, the author of the post, said that the firm analyzed data exfiltrated over a 55 day period this spring.

More recently, a spike in KorBanker infections was seen starting Aug. 1 when more than 1,700 devices were impacted, he revealed via the blog.

In a chart, FireEye showed that attackers often intercepted texts containing GPS location data. Many of the stolen SMS messages, however, contained user authentication codes sent over text, including two factor verification codes for Google and Facebook. Passwords for virtual private network (VPN) services were also purloined by attackers, FireEye found.

“You could generalize [the theft] to any sensitive data sent over SMS,” Dharmdasani explained, which is inclusive of instances where companies “send you a reset code for an account where you've forgotten the password."

KorBanker's added functionality leaves user accounts for a plethora of services, including online banking, vulnerable to unauthorized access.

When FireEye initially detailed the threat last November, KorBanker was made to look like a Google Play banking application, as attackers' aims were to steal user credentials using a different vector.  After the malware was installed, Korbanker would search for specific banking apps on victims' phones, then replace them with malicious versions of the applications in order to lure users to fake login pages.

[An earlier version of this article incorrectly stated that GPS location data sent via Google Maps was vulnerable to being intercepted. Any GPS data sent via text messages may be exposed on KorBanker infected devices.]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.