Finland's Transport and Communications Agency (Traficom) has raised an alarm regarding an ongoing Android malware campaign aimed at infiltrating online bank accounts.
The agency has pointed out numerous instances of SMS messages composed in Finnish, directing recipients to call a specified number. Upon calling, scammers advise victims to install a McAfee app purportedly for security purposes.
These messages, purportedly from banks or payment service providers like MobilePay, employ spoofing technology to mimic communications from domestic telecom operators or local networks. However, the McAfee app being promoted is malware, facilitating unauthorized access to victims' bank accounts.
"According to reports received by the Cyber Security Center, targets are encouraged to download a McAfee application," states the advisory. "The download link offers an .apk application hosted outside the app store for Android devices. However, this is not antivirus software but malware to be installed on the phone."
OP Financial Group, a prominent financial service provider in Finland, has also issued a warning on its website about deceptive messages impersonating banks or national authorities.
The police have highlighted the seriousness of the threat, cautioning that the malware empowers its operators to log in to victims' banking accounts and execute fraudulent transactions. In one instance, a victim suffered a loss of 95,000 euros ($102,000).
Traficom emphasizes that the campaign exclusively targets Android devices, with no distinct infection chain for Apple iPhone users.
Suspected Vultur Trojan
While Finnish authorities have yet to confirm the exact nature of the malware and have not disclosed any hashes or IDs for the APK files, the attacks bear resemblance to those recently reported by Fox-IT analysts in connection to a new iteration of the Vultur trojan.
This new version of Vultur, recently circulated, utilizes a combination of smishing and phone call attacks to persuade targets into downloading a fake McAfee Security app, introducing the final payload in three separate parts for evasion tactics.
Its latest functionalities include extensive file management operations, exploitation of Accessibility Services, app-blocking capabilities, Keyguard disabling, and customized notifications in the status bar.
Victims who have inadvertently installed the malware are advised to promptly contact their bank to activate protection measures and perform a "factory reset" on the infected Android device to erase all data and applications.
OP emphasizes that they never request customers to divulge sensitive information over the phone or install any app for payment processing. Similar requests should be promptly reported to the bank's customer service and the police.