The botnet — dubbed “Sandroid” — comes bundled with Android apps made to look like mobile two-factor authentication modules for various banks, including Riyad Bank, SAAB (formerly the Saudi British Bank), AlAhliOnline (National Commercial Bank), Al Rajhi Bank, and Arab National Bank.
. It’s not clear how the apps are initially presented to victims, but such scams typically infect the victim’s computer with a password-stealing banking Trojan. Many banks send customers text messages containing one-time codes that are used to supplement a username and password when the customer logs on to the bank’s Web site. That precaution requires attackers interested in compromising those accounts to also hack the would-be victim’s phone. Banking Trojans — particularly those targeting customers of financial institutions outside of the United States — may throw up a browser pop-up box that mimics the bank and asks the user to download a “security application” on their mobile phones. Those apps are instead phony programs that intercept and relay the victim’s incoming SMS messages to the botnet master, who can then use the code along with the victim’s banking username and password to log in as the victim.\
. Some 28,000+ text messageswere intercepted by the Sandroid botnet malware. This particular botnet appears to have been active for at least the past year, and the mobile malware associated with it has been documented by both Symantec and Trend Micro. The malware itself seems to be heavily detected by most of the antivirus products on the market, but then again it’s likely that few — if any — of these users are running antivirus applications on their mobile devices.
In addition, this fake bank campaign appears to have previously targeted Facebook, as well as banks in Australia and Spain, including Caixa Bank, Commonwealth Bank, National Australia Bank, and St. George Bank.
The miscreant behind this campaign seems to have done little to hide his activities. The same registry information that was used to register the domain associated with this botnet — funnygammi.com — was also used to register the phony bank domains that delivered this malware, including alrajhiankapps.com, commbankaddons.com, facebooksoft.net, caixadirecta.net, commbankapps.com, nationalaustralia.org, and stgeorgeaddons.com.
The registrar used in each of those cases was Center of Ukrainian Internet Names.
One problem with the whole banking infrastructure is that there are many targets for attackers. Researchers from consultancy MWR Infosecurity, uncovered four vulnerabilities in various mobile point of sale terminals – the ones that people behind the bar ask you to shove your card into, but the new ones that let the merchant set the thing up and manage it with their mobiles or tablets.( iZettle is the best known example in Europe ). In all cases, hackers can do what they want on the machine. The most likely scenario is they could change the code so that it reads the mag stripe… then they can clone the mag stripe after they’ve retrieved the PIN number. These point of sale devices are approved by Visa and MasterCard.
Malware appears to be well-detected by mobile antivirus solutions. Many antivirus firms offer free mobile versions of their products. Some are free, and others are free for the initial use — they will scan and remove malware for free but charge for yearly subscriptions. Some of the free offerings include AVG, Avast, Avira, Bitdefender, Dr. Web, ESET, Fortinet, Lookout, Norton, Panda Cloud Antivirus, Sophos, and ZoneAlarm. Incidentally, the mobile phone number used to intercept all of the text messages is +79154369077, which traces back to a subscriber in Moscow on the Mobile Telesystems network. Source – http://krebsonsecurity.com/2014/04/android-botnet-targets-middle-east-banks/ -