German police warns about Android banking Trojans

Following a string of complaints about fraudulent cash withdrawals, the Berlin Police Department has issued a warning (via Google Translate) for all Android users, telling them to carefully review any security update that is delivered to their smartphones.

Users who have opted to receive mTAN (mobile transaction authentication numbers) as an additional way to assure the security of their online banking transactions are especially targeted, since the fake security updates carry Zeus-in-the-Mobile (Zitmo).

The malware in question is harmless if the criminals haven’t managed to infect the users’ computer with the Zeus banking Trojan beforehand. The Windows-based Trojan is capable of injecting an additional form during the users’ banking session, asking them to share their phone number and model.

Armed with this information, the criminals send Zitmo masquerading as a security update to them. If the users install the “update”, the criminals have access to the mTANs and are ready to perform illegal transactions.

Not only can they empty the whole account, but they can also leave the victims further in debt by taking advantage of the overdraft option. Victims are unlikely to ever get the money returned to them, as chargebacks are not possible.

Users are advised to always check with their bank if security updates purportedly coming from them have really be sent by them, and the same advice applies for email notifications that seem a bit off.

Having a PC and smartphone AV solution installed on their devices is also recommended.