Commonwealth Bank, Westpac, National Australia Bank and ANZ Bank customers are all at risk from the malware which hides on infected devices waiting until users open legitimate banking apps. The malware then superimposes a fake login screen over the top in order to capture usernames and passwords.

The malware is designed to mimic 20 mobile banking apps from Australia, New Zealand and Turkey, as well as login screens for PayPal, eBay, Skype, WhatsApp and several Google services.

Apart from Australia's Big Four banks it targets a range of other financial institutions including Bendigo Bank, St. George Bank, Bankwest, ME Bank, ASB Bank, Bank of New Zealand, Kiwibank, Wells Fargo, Halkbank, Yapı Kredi Bank, VakıfBank, Garanti Bank, Akbank, Finansbank, Türkiye İş Bankası and Ziraat Bankası.

Along with stealing login details, the malware can also intercept two-factor authentication codes sent to the phone via SMS — forwarding the code to hackers while hiding it from the owner of the phone. With access to this information, thieves can bypass a bank's security measures to log into the victims' online banking account from anywhere in the world and transfer funds.

The malware attack has evolved over time, becoming more sophisticated as hackers update the software to defeat security countermeasures, says ESET senior research fellow Nick FitzGerald.

"This is a significant attack on the banking sector in Australia and New Zealand, and shouldn't be taken lightly," FitzGerald says.

"While 20 banking apps have been targeted so far, there's a high possibility the e-criminals involved will further develop this malware to attack more banking apps in the future."

Detected by ESET security systems as Android/Spy.Agent.SI, the malware sneaks onto Android devices by imitating the Adobe Flash Player application which many websites require in order to play streaming video. Once installed the app requests device administrator rights, checks for installed banking applications and then reports back to base in order to download the relevant fake login screens.

The infected Flash Player application does not come from Android's official Google Play app store, instead phone users are tricked into installing via infected websites or bogus messages. To become infected Android owners must override the default security option and accept apps from unknown sources. The download comes from a range of bogus domains including flashplayeerupdate.com, adobeflashplaayer.com and adobeplayerdownload.com.

A Google spokesperson warned against allowing your phone to install any applications downloaded from the web.

"It's important to only install applications from sources you trust, such as Google Play", the spokesperson said.

"Over 1 billion devices are protected with Google Play which conducts 200 million security scans of devices per day."

Infected Android devices include 'Flash Player' in the list of device administrators found under the Settings > Security > Device Administrators menu. Attempts to remove Flash Player from this list generates a bogus alert warning that data may be lost, but it is safe to press OK. With its device administrator rights disabled it is possible to uninstall the malware via Settings > Apps/Application manager > Flash Player > Uninstall.

In some cases the malware superimposes a fake warning over the Device Administration list to prevent deactivation. The solution is to restart the Android device in Safe Mode, which restarts the device with all installed apps disabled, preventing the malware from blocking access to the Device Administration list. Safe Mode is accessed in different ways on different devices, so consult your manual or a support website.

The latest Android malware attack comes as Google steps up its efforts to block websites containing bogus advertisements and pop-ups which often link to malware. These bogus messages often insist that visitors must install extra media player software, or update existing software such as Adobe Flash, in order to watch online video.