Armor for Android, ArmorforAndroid, Armor for Android malware, Armor for Android free, Android malware, James Green

Android Botnet Stealing Banking Credentials

Information security guru Brian Krebs has discovered an Android botnet that steals banking log in credentials and two factor authentication codes in the Middle East. According to Krebs the malware was disguised as fake banking applications for several different banks including "Riyad Bank, SAAB, AlAhliOnline, Al Rajhi Bank, and Arab National Bank."

The good news is the Android malware used in connection with this botnet was discovered last year and is well detected by Android antivirus applications. Anyone using an antivirus app on their Android device was likely altered to the threat before any information was stolen. The bad news is this Android botnet has already infected over 2,700 devices and stolen 28,000 text messages.


The exact method of infection for this Android botnet is unclear, but Krebs speculates this Android malware is working in association with a PC banking Trojan. Malware authors are aware the practice of two-factor authentication is becoming more frequent within the banking industry. It is no longer enough to steal victims' usernames and passwords, cybercriminals must also steal the secret two-factor authentication passcode sent via SMS message to the phone number listed on the account.

The working theory for this botnet is as follows: A PC banking Trojan infects a computer and steals usernames and passwords from victims. During the infection the Trojan displays a pop-up window suggesting victims download and install a two-factor authentication application to their mobile device. This is a bogus security application that is actually designed to steal the victim's text messages. The fake Android security application may either steal only SMS messages received from known banking phone numbers or take a more blanketed approach by stealing all text messages received to the device. The stolen SMS messages are copied and forwarded to the botnet server.

The cybercriminals operating this Android botnet gain access to victims' user names, passwords and the two-factor authentication passcodes giving them all they need to access victims' bank accounts and steal hard earned money. It appears this is not the first such attack by this cybercriminal, or group of cybercriminals. Similar banking Trojan campaigns have targeted banks in Australia and Spain, and the registration information for the malicious domain linked to this attack has been linked to other malicious banking websites.


Brian Krebs analysis of this Android botnet and the affiliated malware is second to none, as we have come to expect from him. This seasoned security veteran has even come to appreciate Android antivirus applications, noting that this malware was widely detected by the Android antivirus industry. His praise is well received, we at Armor for Android, as well as many others in the Android antivirus sector, strive to maintain the most up to date virus definitions and protect the public from the growing threat of Android malware.

In addition to using an Android antivirus application Krebs preaches these three rules for online safety. At Armor for Android we encourage Android users to take security seriously. Keep the following advice in mind when using your Android device to protect your sensitive information.

  • Install and use an Android anti-virus application and stay current with antivirus updates to ensure you are protected from the most recent threats.
  • Stay current with all other application and Android OS updates as these often contain patches for recently discovered security vulnerabilities.
  • Avoid downloading applications from untrustworthy sources.
  • Review permissions before downloading applications. Unnecessary application permissions, such as a calculator application requiring the SEND_SMS permission, can be a red flag indicating malware.
  • Read user reviews of applications before downloading and look for a strong web presence. Applications without a developer website, Facebook page, Twitter account, or customer support number should be considered suspicious.♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users., Twitter:@James_AfA

Share This Story