Android users could be hit with a new wave of dangerous banking malware following the leak of source code for a capable Android trojan.
Users could be targeted with variants of the malware, known as "GM Bot", that is capable of harvesting usernames and passwords using slick keystroke-capturing website overlays.
Since it infects mobile handsets it can steal two factor authentication including SMS and even redirect phone calls.
IBM threat bod Limor Kessem says the leak appears to have come from a GM Bot buyer and is bad news for users.
"This turnkey capability is the true differentiator; previous mobile malware could steal SMS codes, but those would have been meaningless without phishing schemes or a trojan on the victim’s PC to steal access credentials," Kessem says.
"The reverse was also true: phishers and PC trojan operators could not facilitate fraudulent transactions without mobile malware to intercept the SMS codes or calls from the bank.
"In short, mobile banking trojans such as GM Bot are a one-stop fraud shop for criminals."
Attackers can target any website or banking app to harvest credentials and tokens from infected phones.
GM Bot was first discovered late last year when CERT Poland described the malware as a simple but effective bank raiding tool.
The CERT's researchers said of the malware that "... the attacker needs only to infect the Android phone and there is no need for a Windows counterpart."
The malware joins the ranks of other leaked PC trojans including Zeus, SpyEye, and Carberp.
If history is a judge, it is likely the malware will result in various low- and high- quality spin-offs.
Users should update their handsets to the latest Android versions which contain more rigorous security and permission checks. Those who cannot upgrade from old versions on account of vendors no longer shipping updates can consider installing custom but well-supported-and-maintained ROMs such as Cyanogenmod and NamelessROM. ®