Open Banking protocols have driven a surge in the number of new mobile-only “challenger” banks in the UK, as well as a wealth of digital upstarts in the banking sector globally. Established High Street banks have also developed a wide range of mobile banking apps.
With some five billion people around the world now carrying enough computational firepower in their pockets to launch an early spacecraft, everyone wants in on the action.
That includes cyber criminals. And action they are getting, with figures from a wide range of security labs highlighting a massive surge in the number of mobile banking trojans.
Computer security software provider McAfee, for example, saw a 60% increase in mobile banking Trojans in the last year alone, while Kaspersky Lab identified mobile banking Trojan attacks on users in 164 countries. Senior Malware Analyst Roman Unuchek noted in a recent blog: “We discovered 544,107 [mobile Trojan-Ransomware installation] packages, which was double the figure for 2016, and 17 times more than in 2015.”
Kaspersky was not alone. At last week’s Mobile World Congress in Barcelona, McAfee said that it detected a whopping 16 million mobile malware infestations in the third quarter of 2017, with new threats emerging around the globe. Among the key trends: a global spike in banking Trojans, targeting account holders of large multinational and small regional banks.
Avast identifies a similar trend. As the company’s head of mobile threat intelligence and security Nikolaos Chrysaidos wrote in a recent blog: “In November 2017, our mobile threats intelligence team discovered a new strain of the BankBot Trojan in the Google Play Store. The malware concealed itself in flashlight and solitaire apps. When the user conducted online banking, the malware would create a fake overlay on the genuine banking app.
He noted that the bank apps targeted were all typically large blue chip banks, such as Citibank, Wells Fargo, Santander, HSBC, ING, Chase, Bank of Scotland, and Sberbank, among others: “Cybercriminals were not daunted by the strict security measures as much as they were attracted to the large customer bases.”
Kaspersky’s Unuchek tracked similar approaches: “We discovered a modification of the FakeToken mobile banker that attacked not only financial apps but also apps for booking taxis, hotels, tickets, etc. The Trojan overlays the apps’ interfaces with its own phishing window where a user is asked to enter their bank card details.”
The latest versions of Android OS include a wide range of tools designed to prevent malware from performing malicious actions. However, banking Trojans are constantly looking for ways to bypass these new restrictions and as Unuchek notes, use increasingly ingenious approaches to do so, for example asking victims for permission to use accessibility services (for disabled users), then granting itself some dynamic permissions. The Trojan also adds itself to the list of device administrators, thereby preventing uninstallation.”
Play Store Phishing
How can banks (and customers) fight back? The standard advice given to Android users to avoid downloading malicious apps is as simple as it comes: only get apps from the official Google Play store, which has built-in mechanisms to screen every app for malware and ransomware. The nature of Android’s open architecture, unfortunately, means that a generous handful of malware seems to be slipping through, putting users at risk.
Blogging earlier this year, Google’s Andrew Ahn, a product manager for Google Play, wrote: “In 2017, we took down more than 700,000 apps that violated the Google Play policies, 70% more than the apps taken down in 2016. We’ve also developed new detection models and techniques that can identify repeat offenders and abusive developer networks at scale. This resulted in taking down of 100,000 bad developers in 2017.”
The proliferation of “Potentially Harmful Applicatons” (PHAs) continues however.
Ahn added: “We invest heavily in keeping PHAs out of the Play Store. Finding these bad apps is non-trivial as the malicious developers go the extra mile to make their app look as legitimate as possible, but with the launch of [default security suite] Google Play Protect in 2017, the average annual PHA installs rates on Google Play was reduced by 50 percent.”
Google’s Android Security Bulletin for March, however, lists a total of 37 vulnerabilities, 11 of which are ranked as critical. It’s clear that the threat is not going away. Luckily for end-users, the vast majority of banks protect mobile banking customers from fraud.
As Barclays puts it: “When you make a payment using any of Barclays Mobile Banking services, you’re automatically protected by our Online and Mobile Banking Guarantee if you’re an innocent victim of fraud. This means we’ll refund any money that’s taken from your account.”
The bank adds that its app has been awarded “The British Standards Institute international ISO 27001 certification for security and resilience” along with the “The British Standards Institute for Secure Digital Transactions, which means that the app has been tested independently to ensure that it protects your financial and personal details.”
But as McAfee puts it: “Considering that mobile malware has been around for only 15 years—from the first mobile botnet discovered in 2009 to the targeted attacks from the Lazarus group on smartphones—the pace at which malware has evolved on mobile devices is alarming. With banking Trojans generating revenues in the millions, as well as ad click fraud, and cryptomining latent apps flooding online stores, we expect to see considerably more exploitation in 2018.”