back to article Updated Android malware steals voice two factor authentication

Malware-makers are stepping up the assault on Android handsets and are now quietly redirecting phone calls to steal voice-based two factor authentication details. An update to the Android.Bankosy trojan horse means it not only locks down handsets but steals data from hacked devices. Symantec threat-throttler Dinesh Venkatesan …

  1. gollux

    Isn't it sweet...

    Every time we come up with a supposed sure fire method to increase security, we soon have a nice method to completely circumvent it...

    1. Bob 18
      Facepalm

      Re: Isn't it sweet...

      We always knew Android was just about as secure as Windows 95, so no surprise someone is stealing your two-factor authentication. Hopefully you don't have your passwords on your phone too, requiring someone to find your computer AND phone to get into your stuff. You don't bank on your phone, do you? Do you?

      If you're serious about 2-factor authentication, you use an RSA tag that can't be hacked remotely.

      1. DryBones

        Re: Isn't it sweet...

        Newsflash: Installing dodgy applications from dodgy sites after you turned on installing APKs from third party sites and clicked through the warning about the effects of doing such... may get you infected with malware.

        So nothing new at all, then. Yawn.

        1. AlbertH
          FAIL

          Re: Isn't it sweet...

          Indeed: Once again you have to WANT to deliberately infect your device. Another non-story.

          1. John Brown (no body) Silver badge
            Facepalm

            Re: Isn't it sweet...

            "Indeed: Once again you have to WANT to deliberately infect your device. Another non-story."

            Are you assuming the Play Store has never served up trojanned apps?

        2. Nostromov
          Go

          Re: Isn't it sweet...

          Blah, newsflash... Supposedly the other "trusted" applications, where every single one of them will -surely- have a disclaimer saying how they could destroy us at any point and nobody on this planet can do anything about it - if we accept, install... Those apps are fine, then, right (lolz).

          The Android approach is, just, fundamentally flawed - giving all sorts of permissions, to whatever (and whoever, heh.) in order for anything to function. It's insane and daily we see celebrities' pictures hacked - surely teh banks are swamped with people having their money stolen, only because their kid scanned a QR code, or whatever - phone bills going through the roof, for unknown reasons and so on & so forth.

          ^^ Just because people reading The Register have a clue - it says nothing about the rest of the world and millions of Android (L) users

          1. Anonymous Coward
            Anonymous Coward

            Re: Isn't it sweet...

            "Just because people reading The Register have a clue - it says nothing about the rest of the world and millions of Android (L) users"

            And therein lies the problem, I might have a clue about security, but you won't find me messing with the brakes on my car. If you don't know, don't touch.

            The problem is users don't consider 'Allow unknown sources' a threat as I do the brakes on my car, so are quite happy to fiddle without thinking about the risks because "free game".

      2. Oengus Silver badge

        Re: Isn't it sweet...

        "If you're serious about 2-factor authentication, you use an RSA tag that can't be hacked remotely."

        We had to re-issue a whole heap of RSA tags a while because they were compromised.

      3. Anonymous Coward
        Anonymous Coward

        @Bob 18 Re: Isn't it sweet...

        RSA got majorly hacked and handled it terribly. Anyone who uses RSA should seriously consider whether they are a suitable company to trust with important security - not so much the hack but more the response - they caused most of the post revelation misery.

        A Windows PC is far, far more likely to get malware than a phone, far less safe for online banking. Compare the drive-by malware installs on PC versus on a phone - on a phone the attempt mean you have to have overridden security settings and and said yes to the prompt to install an unsafe app. I have yet to see malware on a phone personally, whereas I see many on PCs every month.

        1. Anonymous Coward
          Anonymous Coward

          Re: @Bob 18 Isn't it sweet...

          A Windows PC is far, far more likely to get malware than a phone

          I'm not so sure about that. A smartphone has far less power available, and is less equipped to run tasks in parallel than a Windows PC. Yes, a Windows PC is not the safest means of using the Internet but even I (not a Windows fan at all) would prefer that over a phone as I can at least change enough to make it safe. I don't feel I have that sort of control with Android.

          Caveat: I am uncertain that statement holds up for Windows 10. I don't even want to consider it..

      4. Nostromov

        Re: Isn't it sweet...

        Wait, what... People have down-voted Bob 18's comment - for, what? :D

        Android is terrible, without a rooted system and a whole bunch of tools (including a carefully managed rule-based firewall): shouldn't -really- trust and use any applications - which, everyone does it by default, which is ridiculous, hehe. xD

    2. Anonymous Coward
      Anonymous Coward

      Re: Isn't it sweet...

      "Every time we come up with a supposed sure fire method to increase security, we soon have a nice method to completely circumvent it..."

      Some Android handsets can be upgraded to Windows 10. That's about as secure as it gets at the moment in mobile. Zero malware so far across over 100 million devices.

      1. Dr. Mouse Silver badge
        Joke

        Re: Isn't it sweet...

        Some Android handsets can be upgraded to Windows 10. That's about as secure as it gets at the moment in mobile. Zero malware so far across over 100 million devices.

        Because there are only 5 users, all of whom work for Microsoft, and no apps available yet?

      2. Anonymous Coward
        Anonymous Coward

        Re: Isn't it sweet...

        God, I hope that's sarcasm because I've been reading about how millions of PCs are upgraded to Windows 10 (I can only assume these are PCs who's dull-eyed muggle owners have set to automatically apply all updates and weekly reboots.

        I've yet to encounter a PC/laptop that wasn't bought with W10 that is running W10, with the exclusion of one friend who just dropped his laptop off (which he upgraded to Windows 10) with instructions to "get this shit off my laptop, I want Windows 7 back".

      3. Anonymous Coward
        Anonymous Coward

        Re: Isn't it sweet...

        100m handsets, 99m of which are gathering dust in backrooms around Europe...

        Windows phone is dead and buried, even Microsoft has lost interest in it.

    3. Nostromov

      Re: Isn't it sweet...

      IMO, there are different ways of lookin' @it, for example: when I go to my bank (Banca Intesa, Italian bank), they regularly inform me that they have an online service and would I like to enable E-banking...

      Only the first time I had inquired about it, went to their portal - to see how it was done via teh MSIE Internet Exploder and some BHOs (& maybe certificates, can't -really- remember, but prolly not). These days, it *has* been updated to work with Firefox and other browsers - using Java; However, there will be (some) problems for whoever has installed 32-bit and 64-bit Java, on their x64 Windows - using a, regular, 32-bit browser.

      *the possibilities, there, are endless really - just taking these manifestations into account (you know, the system responds to errors, with generous feedback; then, there is more than one path to take and so on - it could be wonderful, hehe)

      The decision was and is quite simple. This kind of a system *can* be used and its coding is acceptable, but only a madman would enable and use their E-banking service. So, depends how you look at it: you can keep your money safe, or some people like to gamble - for convenience purposes, right...

      You, just, don't (do not) keep your database online - if you'd like it to stay secure; it's, really, simple. :)

      ^^ Things which ARE put online... Shouldn't be made by children (which is what happens, on regular basis; err, in fact, kids would do it better, LOL)

  2. Anonymous Coward
    Anonymous Coward

    Clueless

    Which phones, unrooted, 3rd party installs, what Android version, what countries?

  3. Anonymous Coward
    Anonymous Coward

    Manual install

    http://www.symantec.com/security_response/writeup.jsp?docid=2014-072316-5249-99&tabid=2

    2014. Manual install. Risk level - very low.

  4. Walter Bishop Silver badge
    Linux

    Android trojan malware ..

    How does this Android trojan malware get onto the devices in the first place. Without the the end-user visiting a malicious website, downloading and installing the software?

  5. DougS Silver badge

    Why is voice more secure than SMS for passing one time codes?

    They both travel over the same networks, I fail to see the security benefit in banks switching to voice, and see a definite increase in annoyance.

    1. Pookietoo

      Re: Why is voice more secure than SMS for passing one time codes?

      Because malware requires greater processing capability to decode a voice message compared to a text message?

      1. Walter Bishop Silver badge
        Linux

        Re: Why is voice more secure than SMS for passing one time codes?

        It's not just a voice reading out the code, there's a lot of background noise like a number of people speaking in a room. Presumably to defeat speech to text decoders.

  6. Mr.Bill

    As usual

    the "once the malware is installed on the victim’s device" disclaimer. Its like "once the robbers are inside fort knox...". Conveniently skipping the slight bit about how to get in there in the first place. This is the whole point of security. A chimpanzee can write a malware.

    A little reminder that the reason android malware exists is because of large numbers of non-google play store phones from china and other 3rd world countries, and the little bit about that "allow unknown sources" checkbox.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019