EDITOR NOTE: We often see cyberattacks as an “ongoing” issue, but rarely do we pay attention to its “evolutionary” attributes. For every advanced cyberattack, we assume an advanced solution to counter it. What happens if the illness supersedes the cure? The latest malware called Toddler is an Android-targeted banking Trojan. It’s infected over seven thousand mobile bank customers and over 60 banks in Europe. It’s designed to replicate a legitimate online bank login screen. Its access can’t be turned off by a mere reboot. In fact, removing Toddler requires “huge technical expertise,” according to the report below. It steals your financial information, user login, and it’s likely capable of taking command over your digital bank account and cryptocurrency wallet once all of your information has been exposed and rendered accessible. We’re still at the dawn of Fintech and digital banking. The online banking era has barely begun. And now, digital banking customers face an existential threat to their money, wealth, and livelihood--all at the swipe of a screen. There is no reason to put your wealth at risk. Hard and cold storage in physical assets via non-CUSIP gold and silver is the only way to guarantee the preservation of your wealth.
Cybersecurity researchers have unearthed a new Android banking Trojan dubbed ‘Toddler’, which is infecting users across Europe. According to the team at the PRODAFT Threat Intelligence (PTI), Toddler, also known as TeaBot / Anatsa, is part of an increasing trend of mobile banking malware attacking countries such as Spain, Germany, Switzerland, and the Netherlands.
The malware was first identified in January by a cybersecurity firm Cleafy. Threat actors have used the malware to attack users of 60 banks in Europe. In June, Bitdefender discovered Spain and Italy as two countries where users were most likely to get infected.
According to PTI, Spain has secured the top spot in cyberattacks in this year’s malware analysis. To date, at least 7,632 mobile devices have been infected. After breaking into the Command and Control (C2) server used by Trojan horse operators, the researchers also discovered over 1000 sets of stolen banking credentials.
Cybersecurity researchers have spotted numerous legitimate websites “serving” the Toddler malware through malicious .APK files and Android apps. However, there is no evidence of the malware on the Google Play Store.
Toddler is pre-configured to target the users of “dozens” of banks across Europe, yet all of the known infections so far relate to just 18 different financial organizations, five of which comprise 90% of attacks. The Trojan works by utilizing overlay attacks to trick victims into submitting banking credentials on fraudulent login screens. Once installed, the malware monitors what legitimate apps are being opened -- and once target software is launched, the overlay attack begins.
"Toddler downloads the specially-crafted login page for the opened target application from its C2. The downloaded webview phishing page is then laid over the target application. The user suspects nothing because this event happens almost instantaneously when the legitimate application is opened,” PRODAFT noted.
The malware also attempts to steal other account records, such as those used to access cryptocurrency wallets. The C2 command list includes the activation of an infected device’s screen, prompting users to grant permissions, uninstalling apps, and trying accessing Google Authenticator via accessibility.
The level of permanence that this Trojan can sustain is unusual. Toddler includes multiple persistence mechanisms. Most notably, it exploits accessibility features to prevent infected devices from rebooting. "Toddler sets a new precedent for persistence module implementation. Removal of the malware from the device requires huge technical expertise, and it looks like the process will not get easier in the future,” researchers stated.
Originally posted on eHacking News