Mobile Malware Targeting Banks

Mobile malware threats are very real, and growing in sophistication. On mobile, many new types of malicious software have spread via phishing, smishing (SMS based phishing), and even malicious apps disguised as legitimate apps that consumers knowingly download. For this reason, businesses need to implement device intelligence solutions that have the ability to detect whether or not a device is infected with malware before it transacts with that organization.

The mobile banking platform presents an attractive target for fraudsters, as more consumers choose to adopt mobile banking and transact via their smartphone. Banking malware is constantly evolving and is designed to bypass typical banking authentication steps or to compromise a consumer’s login credentials.

One step in malware defense involves scanning for specific malware signatures, as well as scanning for crimeware, a category of malware. Crimeware is a form of a malicious application typically used by cyber thieves for the purpose of defrauding banks or merchants or their customers through the use of location spoofers, key loggers, SMS forwarders, etc.

In particular, one of the specific targets of such malware attacks by fraudsters is, of course, banks. For example, banks are being targeted with the following types of malware which are detected by having the proper malware signatures in place:

• BankBot: BankBot is a malware that specifically targets banks, and there is a long list of countries whose banking applications were targeted. In fact, once version of BankBot was found to have 428 banking applications targeted. BankBot is an Android banking trojan that works by showing a fake login window on top of the user's legitimate banking application. BankBot is then used to steal login credentials. And BankBot could also lock the user's device in a ransomware-like behavior, and intercept SMS messages for the ability to bypass two-step verification operations.
  
  
• Trojan.Android/Spy.Banker.HU: This banking malware, disguised as a weather forecasting application, targets Android users. This trojan has screen-locking capabilities, can lock and unlock infected devices remotely, and can intercept text messages. The trojan targeted mobile banking apps, whose credentials were harvested using fake login forms.
  
  
• Android.SmsSpy.88.origin: This trojan was initially distributed via SMS spam with the main purpose intercepting phone calls and SMS messages, usually used for two-factor authentication systems. It later evolved and added the ability to phish for credit card details using a Google Play Store-like interface as well as the ability to phish for credentials from banking applications, and the ability to lock the user's screen and ask for a ransom.
  
  
• Android/Spy.Agent.SI: This Android banking trojan can steal login credentials from mobile banking apps. It has the ability to intercept SMS communications and help fraudsters bypass SMS-based two-factor authentication. The malware impersonates a Flash Player and once downloaded, the malware remains active in the background. The malware overlays a launched banking application and captures the users log-in credentials.

• Zeus family of mobile malware (Zbot and Zitmo): The main mobile Android variants of Zeus are detected as Zitmo or ZBot. Zitmo malware is designed to infect the user’s mobile device and bypass the two-factor authentication systems used by European banks. Zitmo works with a malware called Zbot. Zbot steals the username and password and then. Then, during a money transfer, Zitmo forwards the authorization code to the fraudster.

However, malware is not always caught by signatures, which is often the case when a new malware variant is released. A device therefore must also be scanned for suspicious behavior. For example, has the device been rooted or jailbroken – perhaps without the customer’s knowledge - or has the customer mistakenly loaded a malicious app – or is this an unusual location?

Behavioral analysis of the consumer should also be performed in the event that a certain malware is not detected. The foundation of behavioral analysis is creating a strong mobile device ID. Once the device has been permanently identified, the bank can create an association between a customer and a device. Behavioral analysis, for example, ensures the device is one typically associated with the customer, ensures the transaction activity is typical for this customer, and assumes an increased level of risk if this is a new account.

In addition, protecting the mobile device from malware and allowing it to still transact is important. In this situation, protection against replay attacks, man in the middle, man in the application, or session hijack attacks are important. To protect against this, end to end encryption from an application to the organizations’ server is critical. Banking applications transmit a lot of very sensitive information; credentials, account information, transaction information, application information, etc. If malware is running and has bypassed other detections, it is important to ensure this information can’t be decrypted, intercepted, or replayed and only the consumer within the application itself can read the messages.

A holistic approach examining high-risk indicators will help the organization understand device trustworthiness, including a complete scan for malware. In addition, preventing malware from intercepting information even if it is undetected is critically important.

Having the ability to detect malware infection on their users’ devices or protect a device and information even in the presence of malware allows businesses to seamlessly authenticate good consumers, make more confident transaction decisions, and expand mobile channel functionality without the risk of fraud.

---

Michael Lynch is InAuth’s Chief Strategy Officer and is responsible for developing and leading the company’s new products strategy, as well as developing key US and international partnerships. He brings two decades of experience in key roles within financial services, consulting, and Fortune 500 companies, specializing in security and technology leadership.