A variant of the SpyEye trojan dubbed SpitMo can steal bank account details and redirect transaction validation SMSes from Android phones.
SpitMo, or SpyEye for mobile, imposed templated fields on targeted banks' web pages requesting that customers fill in a mobile phone number and the international mobile equipment identity (IMEI) number of the device, a unique signature for a specific phone.
It meant criminals no longer needed to generate a certificate and issue an updated installer to snag the IMEI number, saving them up to three days.
The latest iteration of the trojan injected a message that dupes bank customers into clicking on a phony app download.
By clicking on the installer labelled "set the application," users are walked through steps that download and install the malware.
A user is then instructed to dial a number, which provides an alleged activation code to access the bank's site. In reality, that call is rerouted by the Android malware and a fake activation code is issued.
At this point, all incoming SMS messages will be intercepted and transferred to the attacker's command-and-control server.
What makes the new variant particularly meddlesome is the fact that it is unlikely to be detected as there is no visual evidence of it on the dashboard.
Users are not aware that they have been infected and that their text messages are being hijacked.
SpyEye trojan was found by Trusteer researchers in July when it was stealing troves of personal information and bank accounts. At the time, researchers said the malware was capable of evading transaction monitoring systems that look for anomalies, and observed new variants appearing frequently.
SpitMo was first detected in April by security firm F-Secure and was this week found by Trusteer researchers to be attacking the Android mobile operating system.
While the infection rate at this point is yet to snowball into a major epidemic, Trusteer researchers are advising organisations to "act now and install a desktop browser security solution as part of a multilayered security profile."