Apparent security certificate turns out to be Android malware


The fraudsters are targeting Android mobile devices with which users receive mTANs for online banking services. If a user installs the offered app, which was even available in the Google Play store, this does not increase the user's online banking security but opens the gates to attackers.

The email

Potential victims receive an email with an impersonal form of address and more or less detailed information about the EV-SSL certification process. G Data SecurityLabs have registered four different email designs so far.

Here is a selection of subject lines encountered so far:

  • EV-SSL-Zertifikat-App im Smartphone Betriebssystem
  • EV-SSL-Zertifikat. Smartphone Betriebssystem
  • Extended Validation-Zertifikate im Android
  • Extended Validation-Zertifikate im Mobile Banking
  • EVL SSL Zertifikat App im Android
  • Extended Validation-Zertifikate im Smartphone Betriebssystem
  • Smartphone Betriebssystem. EVL-SSL-Zertifikat
  • Zertifikate (Android)


The websites

The emails contain a number of different links in different combinations:

A link to the malicious app in the Google Play store

The Google team was informed immediately. The app is no longer available as an official download.

A link to a legitimate Google support site

This site explains the installation of applications from external sources, i.e. from sources other than Google Play.

A link to a website with top level domain .mobi

The selected top level domain has been chosen to suggest to the email recipient that this website is best called up using mobile devices. Depending on the user agent used to call it up, the webserver returns different results:

If the website is called up on a computer, the user only gets a message stating that the certificates have been installed successfully, even though nothing actually happens. Of course, it is possible that the attackers will implement a malicious function here in the future and thus attack PC users as well.

If the website is called up with an Android device, the user gets a website with a Postbank banner, which contains a download link to an .apk file. The website also shows instructions for installing unsigned apps on Android devices so that the user can install the unsigned malware program on his or her mobile device without encountering any problems.

G Data SecurityLabs have also contacted Postbank. The company takes threats of this type very seriously and has thus informed its customers of this scam on its German homepage as well as on the Postbank Facebook page.

At the end of detailed installation instructions, the user is assured that things will be "much safer" after the installation. Of course that is an outright lie.


The malware code

Installation is possible using a direct download from a website as well as from the Google Play store. Last night, the app was still listed on the official Google market and had between 10 and 50 installations. G Data Security Labs immediately reported the incident to Google and the app has now been removed from Google Play.

The application requires a range of authorisations. Among others, it requests access to incoming SMSs as well as access to all networks. This combination alone is enough for attackers to intercept mTANs on the mobile device. The app connects to two predefined URLS and sends the phone number, IMEI and the account data that the victim has entered in the app to this/these address(es). Hence, SMSs with mTANs intercepted at a later stage can be assigned to the right phone and corresponding account data.
To ensure that the app is activated when the phone is restarted, it expects the "execute on start-up" authorisation.

When the app is started, it prompts you to enter an account number and PIN, whereby the app checks the number of digits entered: If you enter an account number with less than 4 digits or a PIN with less than 5 digits, an error message is output. Entering a fictitious 9-digit account number and a fictitious 5-digit PIN resulted in a message confirming the successful installation of the so-called certificate app.

G Data MobileSecurity products block the described malicious app!