Finland Warns Of New Android Malware Campaign


Finland has warned of an ongoing Android malware campaign that targets banking details of its victims by enticing them to download a malicious counterfeit McAfee app.

Finland’s Transport and Communications Agency – Traficom – issued a warning last week about an ongoing Android malware campaign that aims to withdraw money from the victim’s online bank accounts.

Traficom said this campaign exclusively targets Android devices, with no separate infection chain identified for Apple iPhone users.

The agency has identified multiple cases of SMS messages written in Finnish language, instructing recipients to call a specified number. These messages often impersonate banks or payment service providers like MobilePay and utilize spoofing technology to appear as if they originate from domestic telecom operators or local networks.

Finnish language smishing message, Android malware campaign
Finnish language smishing message (Credit: Traficom)

The scammers answering these calls direct victims to install a McAfee app under the guise of providing protection. However, the McAfee app being promoted is, in fact, malware designed to compromise victims’ bank accounts.

According to reports received by the Cyber Security Center, targets are prompted to download a McAfee application via a link provided in the message. This link leads to the download of an .apk application hosted outside the app store for Android devices. Contrary to expectations, this is not antivirus software but malware intended for installation on the phone.

The OP Financial Group, a prominent financial service provider in Finland, also issued an alert on its website regarding these deceptive messages impersonating banks or national authorities.

The police have similarly emphasized the threat posed by this malware, warning that it enables operators to access victims’ banking accounts and initiate unauthorized money transfers. In one reported case, a victim lost 95,000 euros (approximately $102,000) due to the scam.

Vultur Android Malware Campaign Trademarks

While Finnish authorities have not definitively identified the type of malware involved or shared specific hashes or IDs for the APK files, the attacks bear a striking resemblance to those reported by Fox-IT analysts in connection with a new version of the Vultur trojan.

Vultur Trojan infection chainVultur Trojan infection chain
Vultur Trojan infection chain (Credit: Fox-IT)

The new iteration of the Vultur trojan employs hybrid smishing and phone call attacks to persuade targets into downloading a fake McAfee Security app. This app introduces the final payload in three separate parts for evasion purposes. Notable features of this latest version include extensive file management operations, abuse of Accessibility Services, app blocking, disabling Keyguard, and serving custom notifications in the status bar.

Things to Do If You Suspect Being Victim

If you suspect that your device has been infected with the malware, it is advisable to contact your bank immediately to enable protection measures. Additionally, restoring “factory settings” on the infected Android device to wipe all data and apps is recommended.

OP Financial Group emphasizes that they do not request customers to share sensitive data over the phone or install any apps to receive or cancel payments.

“We will never send you messages with a link to the online bank login page. The bank also never asks you for your ID or card information via messages. Such messages are scams and you should not click on the links in them,” the OP Financial Group said.

“Even in order to receive or cancel a payment, you do not need to log in from a link, confirm with codes or provide your information. If you are asked to do this, contact the bank’s customer service.”

Any similar requests should also be promptly reported to the police.

The news of the online banking fraud comes days after a multi-national police operation crack opened a massive fraudulent call center network run across Europe that targeted especially senior citizens with an intent to dupe them of thousands of dollars.

The crack down, dubbed Operation Pandora, was initiated when a vigilant bank teller in Freiburg, Germany, alerted law enforcement of a customer aged 76-years attempting to withdraw a large sum of money.

Scammers employed various tactics, posing as relatives, bank employees or police officers, to deceive victims into surrendering their savings. The operation revealed call centers operating in different countries, each specializing in different types of telephone fraud, from investment scams to debt collection demands.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.



Source link