In a recent development, Finland's Transport and Communications Agency (Traficom) has issued a warning about an ongoing Android malware campaign that aims to breach online bank accounts. The agency has raised concerns regarding multiple cases of SMS messages, written in Finnish, which instruct recipients to call a particular number. Upon calling, victims are directed by the scammer to install a malicious McAfee app under the pretext of providing protection.

These fraudulent messages are sent under the guise of being from banks or payment service providers like MobilePay, exploiting spoofing technology to appear as if they originate from domestic telecom operators or local networks. However, the supposed McAfee app is, in fact, malware that grants cybercriminals access to victims' bank accounts.

According to Traficom, the downloadable link provided in the SMS messages points to an APK application outside the official app store for Android devices. It is important to note that this is not antivirus software, but rather malware designed for installation on the victim's phone.

The OP Financial Group, a prominent financial service provider in Finland, has also alerted its customers about these deceitful messages impersonating banks or national authorities on its website. The police have echoed the warnings, emphasizing that the malware enables threat actors to log in to victims' banking accounts and carry out unauthorized money transfers. Shockingly, one victim has already suffered a significant loss of 95,000 euros ($102,000).

Traficom has confirmed that the campaign exclusively targets Android devices, with no separate infection chain designed for Apple iPhone users. While the authorities have not yet determined the specific type of malware or shared any hashes or IDs for the APK files, the attacks bear strong similarities to those reported by Fox-IT analysts in connection to the new version of the Vultur trojan.

The new version of Vultur, which has recently emerged, employs a combination of smishing (SMS phishing) and phone call attacks to convince victims to download a fake McAfee Security app. The malware introduces the final payload in three separate parts to evade detection. Notable features of this latest version include extensive file management operations, abuse of Accessibility Services, blocking specific apps from executing on the device, disabling Keyguard, and displaying customized notifications in the status bar.

In the event that the malware has already been installed, affected individuals are strongly advised to contact their bank immediately to activate protection measures and restore their infected Android device to factory settings, erasing all data and apps. OP Financial Group also emphasizes that they never request customers to share sensitive data over the phone or install any apps for payment-related purposes. Any such suspicious requests should be promptly reported to the bank's customer service and the police.

Google has previously informed BleepingComputer that Android's built-in anti-malware tool, Play Protect, automatically safeguards against known variants of Vultur. Therefore, ensuring that Play Protect is active at all times is crucial for device security.

As authorities continue to investigate this Android malware campaign, it is essential for Android users in Finland to exercise caution, be vigilant against suspicious messages, and follow the recommended steps to protect their online banking accounts from potential breaches.