Android users were the target of new banking malware with screen locking capabilities , which was disguised as Attack.Phishing a weather forecast app on Google Play . Detected by ESET as Trojan.Android/Spy.Banker.HU , the malware was a trojanized version of the otherwise benign Attack.Phishing weather forecast application Good Weather . The malicious app managed to get around Google ’ s security mechanisms and appeared in the store on February 4th , only to be reported by ESET two days later and consequently pulled from the store . During its short lifetime , the app found its way to devices of up to 5000 users . Besides the weather forecast functionalities it adopted from the original legitimate application , the trojan is able to lock and unlock infected devices remotely and intercept Attack.Databreach text messages . Apart from doing so , the trojan targeted the users of 22 Turkish mobile banking apps , whose credentials were harvested Attack.Databreach using phony login forms . The infected device then displays Attack.Phishing a fake system screen requesting device administrator rights on behalf of fictitious “ System update ” . By enabling these rights , the victim allows the malware to Change the screen-unlock password and Lock the screen . Users who are not alarmed at this point might be pleased with the new weather widget they can add to their home screens . However , in the background , the malware is getting to work sharing device information with its C & C server . Depending on the command it gets in return , it can intercept Attack.Databreach received text messages and send them to the server , remotely lock and unlock the device by setting a lock screen password of the attackers ’ choice , and harvest Attack.Databreach banking credentials . The trojan displays Attack.Phishing a fake login screen once the user runs one of the targeted banking apps and sends entered data to the attacker . Thanks to the permission to intercept Attack.Databreach the victims ’ text messages , the malware is also able to bypass SMS-based two-factor authentication . As for the device locking , we suspect this function enters the picture when cashing out the compromised bank account , to keep the fraudulent activity hidden from the user . Once locked out , all victims can do is wait until the malware receives a command to unlock the device . If you ’ ve recently installed a weather app from the Play Store , you might want to check if you haven ’ t been one of the victims of this banking trojan . In case you think you might have downloaded an app named Good Weather , check for its icon under your apps . After running anything you ’ ve installed on your mobile device , keep paying attention to what permissions and rights it requests . An app that won ’ t run without advanced permissions that aren ’ t connected to its intended function might be an app you don ’ t want installed on your phone .