Android Banking Trojans Target Italy and Thailand

See March 20 update at end of page.

A very profitable line for mobile malware developers is Android banking Trojans, which infect phones and steal passwords and other data when victims log onto their online bank accounts. One recent trend is Android malware that attacks users in specific countries, such as South Korea and India. We have already seen this type of malware posing as mobile applications from banks in Spain and Portugal. Now a new threat distributed via phishing links targets users of banks in Italy and Thailand using the following icons:


When the malware runs, it asks the user to input a password and confirm it. If the passwords do not match, the app will show an error message:


However, unlike Android/FakeToken, this malware does not send the password to the attacker via the Internet or SMS. Instead, it sends an SMS to a specific number in Russia with the text “Ya TuT :) ” (“I am here,” in Russian) or “init” the first time that the application is executed. If the passwords match, the application shows the traditional fake security token seen in other families of Android banking Trojans:


After the user closes the application, in the background the malware intercepts all incoming SMS using a receiver and the API call “abortBroadcast.” However, not all the SMS messages are sent to the remote attacker in Russia because they can be filtered used two mechanisms:

  • Sending an SMS with the keyword “@DELETE” disables the forwarding of SMS
  • Checking if a potential mTAN is still valid. Checking if the difference between the Start Time (when the SMS is processed) and the current time exceeds the Work Time (the time during which the mTAN is valid), in which case that specific SMS is not forwarded to the attacker

In addition to the versions that directly target banks and financial institutions, there is also a variant of this family that tries to impersonate the security application Trusteer Rapport (just as the first Zitmo variant for Android did in July 2011):


Despite the fact that the user interface of this variant is different, the behavior is the same as the one already described. If you have been a target of this malware, contact your respective banks for instructions to secure your account. McAfee Mobile Security detects this threat as Android/FkSite.A and alerts mobile users if it is present on their devices, while protecting them from any data loss. For more information about McAfee Mobile Security, visit


A researcher at F-Secure, Sean Sullivan, has just helped to find another variant of this threat targeting Commonwealth Bank — NetBank in Australia:

20130320 Castillo NetBank

The only difference from the variants we have described is that the stolen SMS are sent to a phone number in the United Kingdom. McAfee Mobile Security also detects this variant as Android/FkSite.A.