In a statement, the company, formerly known as Kaspersky Lab, said the Trojan-Banker.AndroidOS.Gustuff had been noticed in recent traffic from its botnet tracking system.
The SMS campaign included messages like "Jassica shared an album with you hxxp://instagram-shared.pw/SexyJassica on Instagram Shared". If these messages were opened on a device which had an Australian IP address, the URL would redirect to the malware site and download it.
"Besides common technique of monitoring installed applications and overlaying them with a WebView, Trojan-Banker.AndroidOS.Gustuff now checks for URLs opened in a browser and is able to open a WebView with a fake site overlaying the original Web page," Oleg Abdurashitov, Kaspersky's head of APAC public affairs, said.
|
The trojan did not limit its activities to these two websites. Banking applications, payment applications and crypto-wallets were also targeted and users' credentials were harvested by either downloading a phishing Web page from a command-and-control server or by loading a Web page from the local archive on the device saved earlier by Gustuff and overlaying the original app interface.