Front Page: NCSC-FI
Front Page: NCSC-FI

The National Cyber Security Centre Finland’s weekly review – 18/2024

Information security now!

This week, we talk about Android malware designed to give criminals access to victims’ bank accounts. As usual, the review also includes recently reported scams.


Topics covered in this week’s review

  • New Android malware being used to gain access to victims’ bank accounts
  • Recently reported scams

New Android malware being used to gain access to victims’ bank accounts

There are currently Finnish-language text messages going around that are aimed at spreading malware. The text messages ask the recipient to call a service number, and if they do, they are instructed to install malware on their Android device. The phone number looks like the number of a Finnish telecommunications operator or local network number.

The malware is targeted at Android devices and aimed at stealing money from the victim’s online banking services. While the text messages are being sent to other devices as well, the malware cannot be installed on iPhones, for example.

Do not respond to the message or install applications outside the app store on your device. If you have installed the app in question, immediately contact your bank to limit the damage and then file a police report.

What is this about?

There have been text messages going around under the names of several companies that claim that the recipient is subject to a debt recovery claim or that suspicious activity has been detected on their bank account. The messages have asked the recipient to call the included service number.

Upon calling the number, victims have been told that they have most likely become the victim of fraud and need to implement some security measures on their device. During the call, the victims have received a second text message with a link for downloading malware disguised as antivirus software. According to reports received by the NCSC-FI, the victims have been told to download McAfee software. The download link launches the installation of an .apk application for Android downloaded from outside the app store.

In reality, the app installed on the victim’s phone is not antivirus software, but malware that allows criminals to access apps and messages on the infected phone, including online banking services. Ultimately, the criminals’ aim is to use the malware to steal money from the victim’s bank account.

Do not download apps outside of official app stores

Banks and public authorities will never call customers and ask them to disclose online banking credentials, make payments or install mobile apps outside official app stores.

Customers do not need to sign in via links, confirm anything with provided codes or disclose any information over the phone in order to receive or cancel a payment. 

What can I do if I installed the malware?

  1. Contact your bank. If you have used a banking application or handled credit card information on the infected device, immediately contact your bank to limit the damage.
  2. Restore the device to factory settings. When restoring from a backup, make sure that the backup used to restore the device was created before the malware infection. In some cases, it may not be possible to restore the device to factory settings. If you cannot restore your device to factory settings, we recommend contacting the device retailer.
  3. Protect your user accounts. Change the passwords to the services that you have used with your device. The malware may have stolen your passwords if you have signed in to services after it was installed.
  4. File a police report. File a report of an offence on any monetary losses.

We also covered this topic briefly in last week’s Weekly review 17/2024 .

The police (External link) and Osuuspankki (External link) have also published bulletins about the malware (in Finnish and Swedish).

Recently reported scams


This is the weekly review of the National Cyber Security Centre Finland (NCSC-FI) (reporting period 26 April–2 May 2024). The purpose of the weekly review is to share information about current cyber phenomena. The weekly review is intended for a wide audience, from cyber security specialists to regular citizens.