NCC-CSIRT alerts consumers to banking app-targeting malware

*The Nigerian Communications Commission cautions consumers against the malware intended to steal credentials, combined with the use of SMS and notification interception to log-in and use potential 2-factor authentication tokens

Isola Moses | ConsumerConnect

As part of the telecoms regulatory Commission’s consumer sensitisation and education initiatives, the Nigerian Communications Commission’s Computer Security Incident Response Team (CSIRT) has said it discovered a newly-hatched malicious software that steals users’ banking app login credentials on Android devices.

ConsumerConnect reports a security advisory from the NCC CSIRT indicates the malicious software called “Xenomorph”, found to target 56 financial institutions from Europe, has high impact and high vulnerability rate.

Dr. Ikechukwu Adinde, Director of Public Affairs at NCC, stated the NCC noted that the main intent of this malware is to steal credentials, combined with the use of SMS and Notification interception to log-in and use potential 2-factor authentication tokens.

RELATED Cybersecurity: NCC-CSIRT Identifies 2 Cyber Vulnerabilities, Offers Measures For Consumer Protection

“Xenomorph is propagated by an application that was slipped into Google Play store and masquerading as a legitimate application called “Fast Cleaner” ostensibly meant to clear junk, increase device speed and optimise battery.

“In reality, this app is only a means by which the Xenomorph Trojan could be propagated easily and efficiently,” stated the Commission.

The NCC noted in order to avoid early detection or being denied access to the PlayStore, “Fast Cleaner” was disseminated before the malware was placed on the remote server, making it hard for Google to determine that such an app is being used for malicious actions.

READ ALSO Cybersecurity: Nigeria Designs Protection Plan For Critical National Information Infrastructure

The Commission also stated: “Once up and running on a victim’s device, Xenomorph can harvest device information and Short Messaging Service (SMS), intercept notifications and new SMS messages, perform overlay attacks, and prevent users from uninstalling it.

“The threat also asks for Accessibility Services privileges, which allow it to grant itself further permissions.”

According to NCC, the CSIRT further stated that the malware also steals victims’ banking credentials by overlaying fake login pages on top of legitimate ones.

RELATED: Telecoms Regulator Urges Responsible Use Of Internet, Protection Of Telecoms Infrastructure

Considering that it can also intercept messages and notifications, the telecoms regulator disclosed that it allows its operators to bypass SMS-based two-factor authentication and log into the victims’ accounts without alerting them.

The CSIRT security advisory asserted: “Xenomorph has been found to target 56 internet banking apps, 28 from Spain, 12 from Italy, 9 from Belgium, and 7 from Portugal, as well as Cryptocurrency wallets and general-purpose applications like emailing services.

“The Fast Cleaner app has now been removed from the Play Store but not before it garnered 50,000+ downloads.”

READ ALSO: Telecoms Regulator’s Central Mandate Is To Ensure Consumer Protection ─NCC

The Director of Public Affairs of NCC said the Commission hereby wishes to advise telecoms consumers to be on the alert in order not to fall victim to this manipulation.

Accordingly, the NCC urges telecoms consumers and other Internet users, particularly those using Android-powered devices to use trusted Antivirus solutions and update them regularly to their latest definitions.

The Commission also implores consumers and other stakeholders to always update banking applications to their most recent versions.

Kindly Share This Story