Mobile banking Trojans for Android devices, disguised as real banking apps, have made their way into the official Google Play store, where at least one was up until earlier this week.
Once a user downloads and launches one of the malicious apps, which are all variants of the CitMo Trojan, the app prompts users to enter their phone numbers. Then users are asked to enter a 5-digit code they receive via text message.
Entering that code "authorizes" the app, which then hides text messages to and from financial institutions by creating two new files.
"The file 'hide.txt' will contain information about the numbers which must be hidden if an incoming SMS message is received from [them]," Kaspersky Labs' expert Denis Maslennikov said in a blog posting.
"The file 'view.txt' will contain information about numbers which must be shown on the screen if an incoming SMS message is received from [them]. These actions are performed in order to hide all the activities related to the transfer of money stolen from a user's account."
Maslennikov added that one developer, listed as "Samsonov Sergey" (the names are likely reversed), was responsible for at least three banking Trojans that made it into Android's official app store, all with the exact same functionality.
To its credit, Maslennikov said, Google rid Google Play of the offending apps yesterday (Dec. 13), the day after Kaspersky alerted it to the bugs.
These aren't the first malicious apps to make it into Google Play, but the official store is much safer to buy from than "off-road" app markets.
No matter where its owner shops for apps, every Android device should have anti-virus software installed.