Overlay‑Based Trojan Targets 800+ Android Banking Apps to Steal PINs
What Happened — A coordinated Android banking‑malware campaign is abusing screen‑overlay techniques, Accessibility permissions, and sideloaded fake apps to capture users’ PIN entry across more than 800 mobile applications. The trojan presents a counterfeit PIN‑entry screen that records the digits before passing control back to the legitimate app.
Why It Matters for TPRM —
- Credential‑theft malware on a vendor’s mobile SDK can expose customer banking credentials, creating downstream fraud risk.
- The use of legitimate Android permissions (Accessibility, overlay) makes detection difficult for endpoint security tools.
- A large‑scale, multi‑app targeting effort indicates a mature threat actor capable of rapid, wide‑impact campaigns.
Who Is Affected — Financial services (banking & fintech), mobile app developers, and any third‑party that distributes Android SDKs or APIs to banking apps.
Recommended Actions —
- Review any third‑party Android SDKs or libraries used in your mobile applications for unnecessary Accessibility or overlay permissions.
- Enforce strict code‑signing and app‑store verification for all mobile releases; block sideloaded installations on corporate‑managed devices.
- Deploy mobile threat‑detection solutions that monitor overlay windows and abnormal permission usage.
Technical Notes — The trojan leverages Android’s SYSTEM_ALERT_WINDOW overlay capability combined with Accessibility Service abuse to capture on‑screen PIN entry. No specific CVE is cited; the attack exploits legitimate OS features rather than a vulnerability. Data exfiltrated includes numeric PINs and potentially session tokens. Source: TechRepublic Security