Berlin state police warned on Tuesday that "bank customers using the SMS-TAN/mTAN process have become victim of fraudulent money withdrawals." Several people have reportedly had their bank accounts emptied in the past few weeks, the police said in a statement.
"In all cases, the SMS containing the mTAN for the online banking system was caught or diverted," the statement said. "Up until now, those affected have been customers using a Smartphone with an Android operating system."
The criminals reportedly use a Trojan virus to get their victims' bank details from their desktop computer. Then a fake notification appears on their browser saying they should protect their smartphone with a security update, which requires them to give the phone's number and model.
An SMS is then sent to the phone containing a link to the supposed security update - but the software they then download is highly dangerous. "From then on, all instant messages containing an mTAN are diverted to another mobile phone, belonging to the criminal," the statement said.
These mTAN numbers, along with the account and PIN numbers gleaned before, can now be used to withdraw money. The transactions cannot be reversed. In several cases, the fraudsters not only emptied the accounts, but also used up overdraft limits, the police said.
Police are now warning people not to download security updates onto their phones apparently sent by their banks. Emails apparently sent from banks asking for security details should also be regarded suspiciously, the police said.