Image Source: Symantec

A former information-stealing Android malware, Bankosy, added functionality in late 2015 to enable it to deceive two-factor authentication (2FA) systems that use voice calls. In a common 2FA system, a one-time passcode is sent to the user's mobile number through SMS text; however, to improve security, some organizations deliver these passcodes through voice calls. Bankosy mobile malware is able to exploit the voice-based 2FA system to intercept the 2FA passcode. When the malware is installed on the victim's device, it opens a backdoor, collects system information, and sends it to the C2 server. The server registers the device and received a unique identifier. When registration is successful, it uses the identifier to continue communicating with the C2 server and receive commands. One of these commands, call_forwarding, when received by the malware from the C2 server executes a payload to enable call forwarding. Once unconditional call forwarding is enabled, the attacker can intercept the 2FA system and obtain the one-time passcode. This can be used for bank accounts that have 2FA enabled. After gaining access to the account, an attacker can enable a transaction to steal funds.

As of June, Bankosy has been leveraging new tactics to circumvent new security enhancements. The malware uses an open source project hosted on GitHub to find current running tasks. Additionally, Bankosy derives current running tasks from the UsageStatsManager API output, gaining access to the device's usage history and statistics by using social engineering to masquerade as Google Chrome requesting access permission.


  • June 2016: Android banking malware finds new ways to derive current running tasks. (Symantec)

Technical Details

  • Symantec provides technical details on Bankosy mobile malware, available here.