OREANDA-NEWS. February 26, 2016. Kaspersky Lab Anti-malware Research Team has detected one of the most dangerous Android banking Trojans ever seen. The Acecard malware is capable of attacking users of nearly 50 different online financial applications and services and is able to bypass Google Play store security measures.

During the third quarter of 2015, Kaspersky Lab experts detected an unusual increase in the number of mobile banking attacks in Australia. The suspicious activity was discovered to be the result of a single banking Trojan: Acecard.

The Acecard Trojan family uses almost every malware functionality currently available – from stealing a bank’s text and voice messages to overlaying official app windows with false messages that simulate the official login page in an attempt to steal personal information and account details. The most recent versions of the Acecard family can attack the client applications of some 30 banks and payment systems. Considering that these Trojans are capable of overlaying any application upon command, the overall number of attacked financial applications may be much higher.

Besides banking apps, Acecard can overlay the following applications with phishing windows:

  • IM services: WhatsApp, Viber, Instagram, Skype
  • Social networks: VKontakte, Odnoklassniki, Facebook, Twitter
  • The Gmail client
  • The PayPal mobile app
  • Google Play and Google Music applications

The malware was first detected in February 2014, but for a long period it showed almost no signs of malicious activity. Everything changed in 2015 when Kaspersky Lab researchers detected a spike in attacks during May to December 2015. During that time more than 6,000 users were attacked with this Trojan. Most of them were living in Russia, Australia, Germany, Austria and France.

During the two years of observation, Kaspersky Lab researchers witnessed the active development of the Trojan. They registered more than 10 new versions of the malware, each with a far longer list of malicious functions than the previous one.  

Who is behind it?

Looking closely at the malware code, Kaspersky lab experts are inclined to think that Acecard was created by the same group of cybercriminals that was responsible for the first TOR Trojan for Android Backdoor.AndroidOS.Torec.a and the first mobile encryptor/ransomware Trojan-Ransom.AndroidOS.Pletor.a. The evidence for this is based on similar code lines (names of methods and classes) and the use of the same Command and Control servers. This proves that Acecard was made by a powerful and experienced group of criminals, most likely Russian-speaking.

“This cybercriminal group uses virtually every available method to propagate the banking Trojan Acecard. It can be distributed under the guise of another program, via official app stores, or via other Trojans. The combination of Acecard’s capabilities and methods of propagation make this mobile banker one of the most dangerous threats to users today,” warns Roman Unuchek Senior Malware Analyst at Kaspersky Lab USA.

In order to prevent infection Kaspersky Lab recommends the following:

  • Do not download and/or install any applications from Google Play or internal sources if they are untrusted or can be treated as such
  • Do not visit suspicious Web pages with specific content and click on suspicious links

To learn more about the Acecard Trojan, please read the blog post available at Securelist.com.

About Kaspersky Lab

Kaspersky Lab is a global cybersecurity company founded in 1997. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them.