Source code for an Android banking app has been published online, spurring fears it could prompt a wave of malicious apps.
The code has is being injected into otherwise legitimate apps and shared as APK installation files or on third party app stores, notorious as harbours for malicious apps.
Users will need to grant the app, "Android.BankBot.149.origin", extensive permissions including administrator access in order for it to be able to steal data.
If users, many of whom allow software to do almost anything, allow the software to run it can can siphon banking credentials from the likes of Bank of America, PayPal, and Google Play. Credentials from the likes of Facebook, Viber, Youtube, WhatsApp, Uber, Snapchat, WeChat,Instagram and Twitter will also be sucked up and sent to unknown parties .
Antivirus firm Dr Web says says the app is standard fare in terms of malicious Android apps but is unusual in that the code has been offered up for free, something that will likely result in the creation of more malicious apps.
"When an SMS message arrives, the trojan turns off all sounds and vibrations, sends the message content to the cybercriminals, and attempts to delete the original messages from the list of incoming SMS," Dr Web researchers wrote.
"As a result, a user could miss not only bank notifications about the unplanned transactions but also other incoming messages.
"In general, the [capabilities] of this trojan are quite standard for modern Android bankers, however, as cybercriminals created it with publicly available information, one can anticipate that many trojans similar to it will appear."
Harvested device data is shipped to attackers' command and control servers and appears on adminstrator panels from where the application can be controlled.
The app can also steal all phone contacts, track user location, and create phishing dialogues. ®