The SpyEye hacking toolkit has added an Android component that collects the text messages some banks use as an extra security precaution, a researcher said today.
"The standard SpyEye now also entices a user to download an Android app, which is actually a component that's Android-specific malware," said Amit Klein, the chief technology officer of Boston-based Trusteer, a security firm that specializes in online anti-cybercrime defenses.
The Android app poses as a security program -- ironically, one that's supposed to protect a user's text messages from being intercepted -- required to use a bank's online services from a mobile device.
Many banks now send customers a one-time code, usually a series of numbers, to their mobile phone. To access the account, a user must enter not only the traditional username and password, but also the just-received passcode.
It's that passcode that the bogus Android app intercepts and then re-transmits to a hacker-managed command-and-control (C&C) server, said Klein.
"The desktop portion of SpyEye captures the username and password," Klein noted. "But to conduct online fraud against many banks today, a bit more is needed by the cyber criminals. [The text message-intercepting] piece was what SpyEye was missing."
Users are told to download the Android malware when they browse to any targeted bank that requires the additional passcode authentication sent as a text message. Once the criminals have the customer's username and password, and a just-issued passcode, they can quickly log into the account and drain it of its funds.
Trusteer classified both the desktop and Android components as Trojan horses, a specialty of the SpyEye exploit-construction kit.
According to Klein, the SpyEye double-whammy -- the typical desktop-oriented Trojan that targets Windows and the new Android component -- is circulating in Europe and Australia, aiming to dupe customers of banks on those continents.
But Klein figures that the new malware will show up elsewhere soon. "This isn't an isolated case," he said, "so I expect it to come to other regions."
While the Android component is downloaded from one of several URLs that the desktop part of SpyEye shows victims, Klein said that a similar program has been seen on what he called "informal markets," the unofficial Android app stores that have proliferated in countries such as China.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.