Malware hijacks Westpac, ANZ apps and steals security SMS codes

Two major banks in Fiji are among those targeted in a recent smartphone malware attack allowing thieves to bypass security measures to log into the victims’ online banking account from anywhere in the world and transfer funds.

Westpac Fiji has an existing SMS Banking facility for local customers.  It is understood both banks use their parent companies’ technology to conduct business in Fiji.

Editor’s Note: Questions have been sent to Westpac and ANZ in Fiji to clarify implications to local customers.  This article will be updated once we get a response.

Australia’s Sydney Morning Herald reported that millions of customers of Australia’s largest banks are the target of a sophisticated Android attack which steals banking details and thwarts two-factor authentication security.

Along with stealing login details, the malware can also intercept two-factor authentication codes sent to the phone via SMS — forwarding the code to hackers while hiding it from the owner of the phone.

The malware attack has evolved over time, becoming more sophisticated as hackers update the software to defeat security countermeasures, says ESET senior research fellow Nick FitzGerald.

“This is a significant attack on the banking sector in Australia and New Zealand, and shouldn’t be taken lightly,” FitzGerald says.

“While 20 banking apps have been targeted so far, there’s a high possibility the e-criminals involved will further develop this malware to attack more banking apps in the future.”