Android Malware targets Aussie mobile banking apps

Alex Kidman 10 March 2016


Customers of Westpac, Commonwealth, St.George, NAB, ANZ and plenty of other banks should be on alert for a malware scam designed to extract their valuable banking information.

Malware on the Android platform is nothing particularly new, with plenty of research suggesting that it’s the most commonly targeted platform for nefarious software attacks.

According to security research firm ESET, the latest bit of Android Malware has a distinctly Australian – but equally sour – flavour.

The particular bit of miscreant software is known as Android/Spy.Agent.SI. It masquerades as a Flash Player application, but instead requests administrator rights upon installation before phoning home to a server with a full list of installed applications on the Android device. If any of 49 banking applications is found on the device, the malware then presents a locked fake login screen when that application is launched. While banks are the primary target, it will also attempt to phish out Google ID credentials as well.

It’s cannily written to bypass two-factor SMS authentication by intercepting any incoming communications triggered by a banking app, as well as protect itself from uninstallation by blocking the ability to remove its administrator rights once granted.

Which banks are affected?

ESET advises that the following banking applications are targeted by Android/Spy.Agent.SI:

  • Westpac
  • Bendigo Bank
  • Commonwealth Bank
  • St.George Bank
  • National Australia Bank
  • Bankwest
  • Me Bank
  • ANZ Bank
  • ASB Bank
  • Bank of New Zealand
  • Kiwibank
  • Wells Fargo
  • Halkbank
  • Yapı Kredi Bank
  • VakıfBank
  • Garanti Bank
  • Akbank
  • Finansbank
  • Türkiye İş Bankası
  • Ziraat Bankası.

How can I remove it?

If you think you’ve been infected via a fake Flash player, the way to stop the problem is to uninstall the application. To do this, first you’ll have to disable its administrator privileges via Settings -> Security -> Device administrators -> before uninstalling via Application Manager.

It is possible however that Android/Spy.Agent.SI may have already disabled the ability to remove administrator privileges from the user. In that case you’ll need to boot your phone into safe mode. The method for that varies by handset and Android version, so you’ll need to do some research into your particular model to ferret out specifically how to perform a safe mode reboot. From there you should be able to disable Android/Spy.Agent.SI’s administrative privileges and uninstall it.

How can I keep my banking app safe?

The key to how Android/Spy.Agent.SI works is by fooling a user into thinking that they need to install a Flash player app. At this stage, and especially on mobile, Flash is essentially deprecated, so you really don’t need to install it, ever.

That aside, it also works by convincing users to install third party applications outside of the Google App store environment. In most cases this isn’t a wise step, and most Android handsets have the ability to "sideload" applications like this disabled by default. Tread carefully and you should be fine, because this isn’t a malware package that installs itself.

If you're seriously concerned that you may have already compromised your banking details, contact your financial institution immediately, preferably in person with plenty of proof of identity to enable closure or change of potentially affected accounts.

Image: Shutterstock

Ask a Question

You are about to post a question on

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Disclaimer: At we provide factual information and general advice. Before you make any decision about a product read the Product Disclosure Statement and consider your own circumstances to decide whether it is appropriate for you.
Rates and fees mentioned in comments are correct at the time of publication.
By submitting this question you agree to the privacy policy, receive follow up emails related to and to create a user account where further replies to your questions will be sent.

Ask a question