Log in
Show password
Forgot password ?
Become a member for free
Sign up
Sign up
New member
Sign up for FREE
New customer
Discover our services
Dynamic quotes 
  1. Homepage
  2. Equities
  3. United States
  4. Nasdaq
  5. McAfee Corp.
  6. News
  7. Summary
    MCFE   US5790631080


SummaryMost relevantAll NewsAnalyst Reco.Other languagesPress ReleasesOfficial PublicationsSector newsMarketScreener Strategies

McAfee : Android malware distributed in Mexico uses Covid-19 to steal financial credentials

09/13/2021 | 08:52am EST

McAfee Mobile Malware Research Team has identified malware targeting Mexico. It poses as a security banking tool or as a bank application designed to report an out-of-service ATM. In both instances, the malware relies on the sense of urgency created by tools designed to prevent fraud to encourage targets to use them. This malware can steal authentication factors crucial to accessing accounts from their victims on the targeted financial institutions in Mexico.

McAfee Mobile Security is identifying this threat as Android/Banker.BT along with its variants.

How does this malware spread?

The malware is distributed by a malicious phishing page that provides actual banking security tips (copied from the original bank site) and recommends downloading the malicious apps as a security tool or as an app to report out-of-service ATM. It's very likely that a smishing campaign is associated with this threat as part of the distribution method or it's also possible that victims may be contacted directly by scam phone calls made by the criminals, a common occurrence in Latin America. Fortunately, this threat has not been identified on Google Play yet.

Here's how to protect yourself

During the pandemic, banks adopted new ways to interact with their clients. These rapid changes meant customers were more willing to accept new procedures and to install new apps as part of the 'new normal' to interact remotely. Seeing this, cyber-criminals introduced new scams and phishing attacks that looked more credible than those in the past leaving customers more susceptible.

Fortunately, McAfee Mobile Security is able to detect this new threat as Android/Banker.BT. To protect yourself from this and similar threats:

  • Employ security software on your mobile devices
  • Think twice before downloading and installing suspicious apps especially if they request SMS or Notification listener permissions.
  • Use official app stores however never trust them blindly as malware may be distributed on these stores too so check for permissions, read reviews and seek out developer information if available.
  • Use token based second authentication factor apps (hardware or software) over SMS message authentication

Interested in the details? Here's a deep dive on this malware

Behavior: Carefully guiding the victim to provide their credentials

Once the malicious app is installed and started, the first activity shows a message in Spanish that explains the fake purpose of the app:

- Fake Tool to report fraudulent movements that creates a sense of urgency:

'The 'bank name has created a tool to allow you to block any suspicious movement. All operations listed on the app are still pending. If you fail to block the unrecognized movements in less than 24 hours, then they will charge your account automatically.

At the end of the blocking process, you will receive an SMS message with the details of the blocked operations.'

- In the case of the Fake ATM failure tool to request a new credit card under the pandemic context, there is a similar text that lures users into a false sense of security:

'As a Covid-19 sanitary measure, this new option has been created. You will receive an ID via SMS for your report and then you can request your new card at any branch or receive it at your registered home address for free. Alert! We will never request your sensitive data such as NIP or CVV.'This gives credibility to the app since it's saying it will not ask for some sensitive data; however, it will ask for web banking credentials.

If the victims tap on 'Ingresar' ('access') then the banking trojan asks for SMS permissions and launch activity to enter the user id or account number and then the password. In the background, the password or 'clave' is transmitted to the criminal's server without verifying if the provided credentials are valid or being redirected to the original bank site as many others banking trojan does.

Finally,a fixed fake list of transactions is displayed so the user can take the action of blocking them as part of the scam however at this point the crooks already have the victim's login data and access to their device SMS messages so they are capable to steal the second authentication factor.

In case of the fake tool app to request a new card,the app shows a message that says at the end 'We have created this Covid-19 sanitary measure and we invite you to visit our anti-fraud tips where you will learn how to protect your account'.

In the background the malware contacts the command-and-controlserver that is hosted in the same domain used for distribution and it sends the user credentials and all users SMSmessages over HTTPS as query parameters (as part of the URL) which can lead to the sensitive data to be stored in web server logs and not only the final attacker destination. Usually,malware of this type has poorhandling of the stolen data, therefore, it's not surprising if this information is leaked or compromised by othercriminal groups which makes this type of threateven riskier for the victims. Actually,in figure 8 there is a partial screenshot of an exposed page that contains the structure to display the stolen data.

Table Headers: Date, From, Body Message, User, Password, Id:

This mobile banker is interesting due it's a scam developed from scratch that is not linked to well-known and more powerful banking trojan frameworks that are commercialized in the black market between cyber-criminals. This is clearly a local development that may evolve in the future in a more serious threat since the decompiled code shows accessibility services class is present but not implemented which leads to thinking that the malware authors are trying to emulate the malicious behavior of more mature malware families. From the self-evasion perspective, the malware does not offer any technique to avoid analysis, detection, or decompiling that is signal it's in an early stage of development.



  • 84df7daec93348f66608d6fe2ce262b7130520846da302240665b3b63b9464f9
  • b946bc9647ccc3e5cfd88ab41887e58dc40850a6907df6bb81d18ef0cb340997
  • 3f773e93991c0a4dd3b8af17f653a62f167ebad218ad962b9a4780cb99b1b7e2
  • 1deedb90ff3756996f14ddf93800cd8c41a927c36ac15fcd186f8952ffd07ee0



McAfee Corporation published this content on 13 September 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 13 September 2021 12:51:08 UTC.

ę Publicnow 2021
All news about MCAFEE CORP.
12/01MCAFEE : And fireeye launch integration with amazon inspector and new cloud security solut..
11/30MCAFEE : Affected by a Data Breach? Here Are Security Steps You Should Take
11/29MCAFEE : How to Help Your Kids Combat Clickbait Scams
11/29McAfee and FireEye Launch Integration with Amazon Inspector and New Cloud Security Solu..
11/29Clearlake Capital bulks up software portfolio with Quest deal
11/26MCAFEE INVESTOR ALERT BY THE FORMER : Kahn Swick & Foti, LLC Investigates Adequacy of Pri..
11/24Certain Options of McAfee Corp. are subject to a Lock-Up Agreement Ending on 24-NOV-202..
11/24Certain LLC Units of McAfee Corp. are subject to a Lock-Up Agreement Ending on 24-NOV-2..
11/24Certain Management Incentive Units of McAfee Corp. are subject to a Lock-Up Agreement E..
11/24Certain Restricted Stock Units of McAfee Corp. are subject to a Lock-Up Agreement Endin..
More news
Analyst Recommendations on MCAFEE CORP.
More recommendations
Financials (USD)
Sales 2021 1 874 M - -
Net income 2021 577 M - -
Net Debt 2021 2 038 M - -
P/E ratio 2021 48,5x
Yield 2021 13,5%
Capitalization 4 682 M 4 682 M -
EV / Sales 2021 3,59x
EV / Sales 2022 2,97x
Nbr of Employees 6 916
Free-Float 25,8%
Duration : Period :
McAfee Corp. Technical Analysis Chart | MarketScreener
Full-screen chart
Technical analysis trends MCAFEE CORP.
Short TermMid-TermLong Term
Income Statement Evolution
Mean consensus HOLD
Number of Analysts 6
Last Close Price 25,60 $
Average target price 26,00 $
Spread / Average Target 1,56%
EPS Revisions
Managers and Directors
Peter A. Leav President, Chief Executive Officer & Director
Venkat Bhamidipati Chief Financial Officer & Executive Vice President
Steve Grobman Chief Technology Officer & Senior Vice President
Mary B. Cranston Independent Director
Timothy Millikin Independent Director
Sector and Competitors
1st jan.Capi. (M$)
MCAFEE CORP.53.39%4 682
ADOBE INC.31.45%312 796
SAP SE9.20%156 404
SEA LIMITED31.53%145 206