Announcement of 26. April 2013

Cyber crime 3.0: malicious app targeting mTANs

G Data discovers supposed security certificate for Android mobile devices

Cyber criminals are currently targeting Android mobile devices to steal mTANs and PINs for online bank accounts. The criminals do so by using an email supposedly coming from Postbank, which tries to convince users to install an "SSL certificate app". If users access the link in the email via their smartphone or tablet, they are taken to a website that provides the supposed SSL certificate app and installation instructions. Once installed, the malicious app, which claims to make mobile online banking more secure, spies on mTANs and PINs and sends them to the perpetrators. This enables criminals to manipulate online banking transactions and divert money to other accounts during transfers. Customers who secure their Android devices with G Data MobileSecurity 2 are protected from this malware.


Smartphones and tablet PCs are among the devices used in the two-way authentication process. As part of this process, the bank sends an SMS with the transaction number (TAN) to the smartphone or tablet. This means that these devices are worthwhile targets for 3.0 cyber criminals, because many users do not install security solutions on their mobile devices.

In this case, the perpetrators claim to be working for Postbank customer support and send out millions of fake service emails asking the recipients to install the supposed "SSL certificate app". Instead of a banking security app, they end up installing malware that instantly forwards all mTANs it encounters to the criminals.

Example of an email claiming to be from Postbank:

When accessed from a mobile device, the link contained in the email text leads to a primed website with a Postbank banner, which provides the supposed security app and installation instructions. If the website is accessed from a PC, users just get a message stating that the certificate has been installed successfully.

Screenshot of the website with installation instructions and the malicious app for downloading:

Once the app has been installed, the user is prompted to enter his account number and PINs. In addition, the program requests a range of authorisations, which enable it to access incoming SMS messages among other things. The perpetrators are thus able to steal data required for online banking transactions. This enables the cyber criminals to manipulate bank transfer transactions.

Announcement of 26. April 2013


G DATA Software AG
G DATA Campus
Königsallee 178
D-44799 Bochum

Phone: +49-234-9762-239

Kathrin Beckert-Plewka
Public Relations Manager
Phone: +49 (0) 234 - 9762 507

Christian Lueg
Public Relations Manager
Phone: +49 (0) 234 - 9762 160

Dominik Neugebauer
Public Relations Manager
Phone: +49 (0) 234 - 9762 610