The banking credentials of Android device users are being threatened by a new, self-updating trojan that poses as a one-time password application (OTP).

Once users downloaded the token-generator application from a third-party forum -- the official Android Market is not affected -- attackers could siphon data from phones, according to McAfee Labs security researcher Carlos Castillo.

The malware mostly targeted users of Spanish banks like Santander and Banesto and appeared credible because it disguised itself with the logo and color of the bank in the application.

Castillo said in a blog post that once the application launched, a web page appeared that “pretends to be a token generator.”

Security tokens issued by banks are a series of digits used for authentication purposes, also known as mobile transaction authentication numbers (mTANs). To obtain their token, users are prompted to enter their online banking username and password.

The “generate” option within the app displays the fake token. The app can then intercept SMS messages from the bank to the user, through a man-in-the-middle attack, and forward them to the criminal.

Banks often send out mTANs to customers via SMS messages once a transaction has been made or is in process of being completed. Once the malicious application is launched, however, these messages are intercepted and sent off to a third-party server, along with the victim's online banking login information.

The malware is not predominant or widespread yet but Castillo foresaw more financially driven attacks migrating to the mobile platform.

“Android allows the user to enable and disable the installation of applications from non-market applications, which can increase the risk of infection,” said Castillo in an email to “For these reasons, I believe malware authors will continue to try and achieve financial gain from Android users with malicious applications for this platform.”

\Third-party markets are a hotbed for malicious malware applications. While Google has the ability to remotely revoke privileges of malicious applications within its market, those downloaded outside of Google's marketplace can easily go unnoticed.