Sergey Nivens - Fotolia

Get started Bring yourself up to speed with our introductory content.

How does SlemBunk collect Android user credentials?

An Android Trojan called SlemBunk is impersonating banking applications in order to collect user credentials. Expert Nick Lewis explains the security measures to stop this malware.

I saw reports of an Android Trojan family called SlemBunk that has the ability to appear as a legitimate app and...

remain incognito after executing for the first time, giving it the ability to continually collect user credentials. How dangerous is this Android Trojan for mobile users? What security measures or tools can prevent SlemBunk from succeeding?

Mobile malware continues to get significant attention as more financial transactions are performed on mobile devices. Mobile devices have many security advantages over traditional PCs, but share many of the same limitations that continue to cause challenges for users. Researchers from FireEye identified SlemBunk and reported that the Android Trojan is loaded onto devices through abuse of enterprise app store functionality, via sideloading and third-party app stores. It hasn't yet been detected in the Google Play store. A victim is enticed into installing an Adobe Flash update after visiting a website. The victim then installs the malware. Once the malware is installed and runs, it sends device configuration data to a central C&C and then starts monitoring for certain banking applications. It is reported to have copied targeted banking applications, so that a user could be tricked into entering their authentication credentials into the malicious app. The malware authors put significant effort into copying the user interface of the targeted apps to minimize the chance the victim would realize it wasn't the legitimate app requesting their user login.

A user could check the app to see if it has been signed by a trusted certificate or a certificate that corresponds to the targeted organization, but few users check this after the software has been installed. Users can check if the app is legitimate when downloading the app from the app store, but since it isn't the Google Play store, the app store might not display that the app was not published by Adobe and is not a Flash Update. FireEye has tools that can block the Android Trojan over the network or on the endpoint, and other network and endpoint security tools can include protections, since FireEye shared indicators of compromise.

Next Steps

Find out what the top five mobile security deal breakers are

Read about how enterprises can defend against fake apps

Learn about Android application security challenges and improvements

This was last published in May 2016

Dig Deeper on Mobile security threats and prevention