Recommended mobile app: OPSWAT Metadefender
In their race for customers, banks and financial institutions need to maximize the usability and flexibility of their services. Thus, mobile banking applications were a natural step forward as they enabled customers to make use of their banking services virtually anywhere. It became very easy to check the account balance, make transfers or deliver payments from the tip of one’s fingers. However, wherever there’s a way to manage money, there’s also valuable information for cyber criminals. Wherever there is convenience, there is also lesser security. This context, along with the mere negligence still governing the mobile world, contributed to the rise of mobile malware designed to steal the credentials used for mobile banking applications. Such credentials can be used to conduct banking transactions in the name of the victim, with little or no chance of being discovered. Such transactions do not trigger any alert irrespective of the security measures at the banks because usually there is no way to assess the legitimacy of the request.
Mobile malware uses two strategies to get installed on a device and extract the target information:
- Phishing (and its variants, Vishing, Smishing, etc.) techniques attempting to convince users to disseminate credentials, make money transfers or install malware: socially engineered phone calls, fake apps, malicious adverts, luring SMS, crafted email messages or social media activities;
- Exploiting vulnerabilities in the applications, or the mobile operating systems themselves.
Some examples of mobile banking malware:
This mobile malware started as an Android backdoor, allowing cyber criminals to run commands on the mobile device, from a remote location. It allowed attackers to intercept SMS messages, send SMS messages to a given number from the device, or change the device control number. It then evolved allowing more commands to be executed and displaying phishing windows overlaid on top of popular apps such as WhatsApp, Gmail, Twitter, Instagram or Skype to steal social networking credentials. Next, it began to target mobile banking apps so, in 2016, it is known to target at least 30 mobile banking applications worldwide.
This malware comes in over 170 variants and once installed can monitor the running processes, detect over 30 legitimate mobile banking applications and display fake login windows on top of them. It can harvest credentials and communicate them to a command server, together with other device information useful for the attackers (phone number, installed apps, etc.).
Gugi is a very aggressive, new breed of mobile banking malware which gets installed through SmiShing (the user gets an SMS notification claiming there is a new MMS image available for download). Once the user opens the link, it gets installed and bypasses latest security features in Android 6, forcing the user to grant the overlay permission. Ultimately it overlays the UI of typical banking clients in Russia.
This malware disguises itself as a legitimate popular application (like Pokemon Go) and looks the same as the original, except it also has functionality to download and install the malicious code. It can then send or delete SMS messages, record text activity and perform banking operations on the victim’s behalf, once the credentials to the banking app are stolen.
Mobiles are no safer than PCs, in fact, because of many convenience features, they may be far more dangerous for the individuals who use mobiles to carry out financial transactions. Apps are less secure, and privacy is always at stake with the myriad of legitimate services requiring various related privileges. Obviously, there are (many) ways in which we can become victims of mobile attacks, and we have a lot to lose. To stay safe and significantly reduce the risk of this happening, follow these basic best practices:
- Keep your phone up to date;
- Use mobile security software;
- Avoid opening or clicking through messages from unknown / unverified sources, no matter how appealing the content is;
- Avoid installing anything from sources other than the official ones;
Liked this article? Follow us on LinkedIn for more, or subscribe to our newsletter.