A fake Facebook app for Android has the ability to monitor incoming and outgoing messages, as well as gain access to a smartphone user’s banking details, according to IT security company ESET.
The Trojan known as Android/Spy.Agent.AF, or more commonly as iBanking, was detected in November last year and was originally used to get around a common security feature known as two-factor authentication (TFA).
TFA allows a user to add additional login security, often through the use of a phone to send a one-time PIN, and is often also used by banks when a user logs into his or her internet banking platform.
However, threat researchers at ESET say the Trojan can be used for more than that.
“Once in place, the Android Trojan can spy on the phone’s activities, including private voice calls, stealing SMS messages, contact lists and call logs, recording audio captured by the Android devices’ microphone even when it’s not making a call, and grabbing the device’s GPS coordinates,” said ESET threat researcher Graham Cluley.
“And, if the hackers can read your SMS messages, they can potentially break into your online bank accounts too.”
According to the researchers the installation instructions are riddled with grammatical errors, which should already serve to put off potential victims.
“Hopefully the poor grammar is enough to trigger your alarm bells, and prevent you from entering your mobile phone number,” said Cluley.