A malicious Android app is trying to scam Brazilian bank customers

Some of the Brazilian banks targeted operate in Spain, Portugal and across Latin America, according to IBM.
Brazilian currency. A new banking trojan is targeting Brazilian banks (Flickr/Mark Hillary).

Brazil’s financial sector, which has long grappled with cybercrime, has a new foe.

An insidious Android application is trying to steal users’ login credentials, and their money, by impersonating Brazilian banks, researchers from IBM Security said Tuesday.

The malicious code is designed to steal the text messages that people use as a secondary security measure to log into their bank accounts. While focused on Brazil, the code could be repurposed to target banking sectors elsewhere, the researchers warned.

It is the latest hacking tool to be aimed at Brazil’s financial sector, which has had to contend with cybercrime for years.


“Malware of this type is extremely simple to redirect to other regions by changing the target list and embedded screens, thereby modifying its attack turf and potential targets,” IBM researchers Ben Wagner and Limor Kessem wrote in a blog post.

Some of the Brazilian banks targeted operate in Spain, Portugal and across Latin America, according to IBM. The researchers didn’t name the targeted entities, and it remains unclear if any of the phishing attempts were successful.

IBM researchers also reported this month on another piece of malware that apparently originated in Brazil, but was being used to attack bank customers in Spain.

The code in the newest banking trojan — as the credential-stealing malware is called — is entirely new, according to IBM. But it uses a trick that is increasingly popular with cybercriminals: It lurks in the background of a user’s phone until the right time to display a fake banking login page. The success of the attack hinges on whether the person takes the bait and enters their credentials.

The hackers were sloppy in covering their tracks. Wagner and Kessem said the malware was easy to reverse-engineer and, unlike similar hacking tools, does not check whether it is being deployed in a virtual environment before installing.


“Malware is often created in a very agile development cycle, released as soon as a working module can help attackers achieve their goals,” Kessem told CyberScoop. “This malware is likely a work in progress and we may end up seeing it evolve further in the coming months.”

While Google has hired mobile security firms to clamp down on the number of malicious apps that appear in the Play Store, hackers have leveraged third-party app stores to get their malware onto Android phones.

With this new banking trojan, scammers are sending instructions to potential victims on how to download the app from a third-party source, beyond the reach of the Play Store’s gatekeepers.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts