The malware, dubbed Android.Bankosy, has been updated to intercept the codes, which are part of so-called two-factor authentication systems.
Many online banking applications require a login and password plus a time-sensitive code in order to gain access. The one-time passcode is sent over SMS but also can be delivered via an automated phone call.
Some banks have moved to call-based delivery of passcodes. In theory, that provides better security since SMS messages can be intercepted by some malware.
The one-time passcode is used with the victim’s login credentials, which the attackers have presumably already obtained.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now