The malware, dubbed ‘The Invisible Man’, is a strain of the Svpend banking trojan and is targeting customers of banks in the UK, Australia, Singapore and elsewhere.
The malware is hidden inside a fake Adobe Flash Player app and once it infects a device it is capable of displaying and invisible overlay on a legitimate banking app.
The overlay, which displays a fake login screen then uses a keylogger to record which keys have been pressed when the app is open, meaning that the cybercriminals behind the malware are able to steal account credentials such as username and passwords.
The malware was discovered by researchers at Kaspersky Labs and has already hit customers using 14 different banking apps in the UK, 10 in Germany, 9 in Australia and 6 in Singapore.
Roman Unuchek, an analyst with Kaspersky said the Invisible Man malware can infect even the most up to date devices.
“Its malicious techniques work even on fully updated devices with the latest Android version and all security updates installed.
“By accessing only one system feature, this Trojan can gain all necessary additional rights and steal lots of data”.
While it is not known how is responsible for the creating the malware, Unuchek believes it is the work of Russian cybercriminals.
This is because the malware does not infect devices with Russian set as the default language.
“This is a standard tactic for Russian cybercriminals looking to evade detection and arrest,” Unuchek said in a blog post.
Unuchek has a pretty good track record when it comes to warning users about the latest malware and virus threats.
He has previously alerted Google to a number of major viruses targeting users, one in June, and has done extensive work on the Svpeng strain of malware, which he describes as one of the ‘most dangerous’ there is.
“The Svpeng malware family is known for being innovative. Starting from 2013, it was among the first to begin attacking SMS banking, to use phishing pages to overlay other apps to steal credentials, and to block devices and demand money,” Unuchek said.
“In 2016, cybercriminals were actively distributing Svpeng through AdSense using a vulnerability in the Chrome browser. This makes Svpeng one of the most dangerous mobile malware families.”