SpyEye Trojan variant SpitMo is attacking mobile devices running the Google Android operating system, warns security firm Trusteer.
The change in delivery and infection methods has increased the danger of SpyEye, according to Amit Klein, chief technology officer at Trusteer.
"We always said it was just a matter of time before the true potential of SpitMo was realised," he said.
SpitMo first emerged in April when security firm F-Secure reported the malware was targeting European banks.
The Trojan typically injected fields into a bank's web page asking the customer to input a mobile phone number and the IMEI identity number of the phone.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Initially, the fraudster needed to follow a cumbersome three-stage sequence of getting the IMEI number, generating a certificate and releasing an updated installer.
But now, data gathered by Trusteer's Intelligence Centre has uncovered a new far more intuitive, and modern, approach of SpitMo for Android now active in the wild, said Klein.
"When a user browses to the targeted bank a message is injected presenting a 'new' mandatory security measure, enforced by the bank, in order to use its online banking service," he said.
The initiative pretends to be an Android application that protects the phone's SMS messages from being intercepted and will protect the user against fraud.
Once the user clicks on "set the application" they are given further instructions to walk them though downloading and installing the application.
To complete the installation, the user is instructed to dial the number "325000" to get an activation code to access the bank's site in future, but the call is intercepted by the Android malware and a dummy activation code is returned.
Once the Trojan is installed, all incoming SMS messages will be intercepted and transferred to the attacker's command and control server.
Klein says the attack has yet to gain momentum, but what makes it particularly scary is that the application is invisible on the device's dashboard, making it virtually undetectable, so users are not aware of its presence and will struggle to get rid of it.
"Organisations and individuals need to act now and protect themselves as this variant has traits to become a more serious threat. My advice is to install a desktop browser security solution as part of a multi-layered security approach," said Klein.