Attackers manipulating mobile applications is not unheard of; however this new breach leverages its ability to control the victim's device. 

The malicious app initially uses phishing techniques, presenting the victim with a fake banking web page; thus enabling the attacker to derive the victim's banking credentials to their own web server.

From this point on, the attacker has full control of the victim's mobile device....and their bank account. 

This malware is particularly interesting, as it has it's own built-in defence mechanism. If the victim was to attempt to delete the app, the device would lock itself. As well as doing so, the app changes the device's lock code. So while the device is rendered practically unusable to the victim, the attacker proceeds to empty their bank accounts. 

As always, we strongly recommend that you do not open unknown email attachments, and to always implement Anti-Virus software on all devices.