Researchers from threat intelligence firm Cyble analyzed a new Android banking malware that targets Brazil’s Itaú Unibanco trying to perform fraudulent financial transactions on the legitimate Itaú Unibanco applications without the victim’s knowledge.
Threat actors spread the malware using fake Google Play Store pages hosting malicious applications under the name ‘sincronizador.apk .’ The malware was first spotted by researchers at MalwareHunterTeam.
“The malware tries to perform fraudulent financial transactions on the legitimate Itaú Unibanco applications without the victim’s knowledge. This application has a similar icon and name that could trick users into thinking it is a legitimate app related to Itaú Unibanco.” reads the analysis published by the experts. “we observed that the TA has created a fake Google Play Store page and hosted the malware that targets Itaú Unibanco on it under the name ‘sincronizador.apk.’ “
Upon launching the malicious app, it asks users to enable the AccessibilityService and allow other actions such as Observe actions, Retrieve window content, and Perform gestures. The malware uses AccessibilityService to carry out its malicious activities, this permission allows the malware to access notifications and window content, and perform gestures on the display (i.e. tap the display).
The fake Google Play page analyzed by Cyble claims that the app has had 1,895,897 downloads.
Users should install applications only from the official stores to avoid such attacks.
“_lTAU_SINC/sincronizador Android malware targets the Brazilian bank Itaú Unibanco’s users and tries to perform fraudulent financial transactions without the victim’s knowledge.” concludes the experts.
“Threat Actors constantly adapt their methods to avoid detection and find new ways to target users through increasingly sophisticated techniques. Such malicious applications often masquerade as legitimate applications to trick users into installing them.”
(SecurityAffairs – hacking, Android banking malware)