This is a multi-part blog series about mobile malware aimed at mobile banking and fintech apps. In this first post, I’ll describe the different types of mobile malware, mobile banking trojans and remote access trojans (RATs). I’ll cover what they are and what they do, including how they specifically target mobile banking and fintech apps to commit fraud.
In the next blog post, I’ll cover the different ways in which mobile malware changes over time, how different variants proliferate, usually with the help of unsuspecting mobile users who are tricked into performing actions that help the malware replicate, spread laterally, and auto-update to gain new functionality. I’ll also discuss how fraudsters use malware to elevate privileges, to automate their operations, and plant, open and exploit backdoors. All of these malicious actions are primarily accomplished by abusing normal app functionality or using platform-specific features for unintended purposes. I’ll also explain how fraudsters use powerful mobile development and testing tools and frameworks against the app and app makers.
Finally, in the last part of the series, I’ll explain what developers of mobile banking apps can do right now in order to protect their apps and their users from the relentless threat of mobile malware and trojans. This post will include actionable and prescriptive recommendations for implementing in-app protection against mobile malware to deal with the problem preemptively – in other words, the best defense against mobile malware and mobile fraud is to prevent it before it starts – by taking away all the key ways fraudsters create, update, and proliferate mobile malware in the first place.
The Large and Growing Threat of Mobile Malware
For many years, malware has been a key ingredient in every fraudster’s toolkit. And while mobile malware affects every type of mobile app, mobile banking apps, in particular, are a very attractive target for malware developers. Over the past few years, there’s been an explosion of malware variants that target mobile apps that deal with money – this includes mobile banking apps, fintech apps, and a wide variety of other apps that move money or process transactions (trading apps, wealth management, mobile wallets, money transfer and cash apps, etc).
To provide a glimpse of how rampant mobile malware is, consider these stats:
In 2020 alone, security firm Kaspersky reported 156,710 new mobile banking Trojans, 20,708 new mobile ransomware Trojans, and 5.6 million malicious installation packages installed by unsuspecting mobile users.
It’s not hard to imagine why banking apps are high-value targets of fraudsters (aside from a statement of the obvious: ‘where there’s money, fraud will follow”). For one, mobile banking apps and mobile wallets store our most sensitive and personal data, and they are often accessible by other apps through native Android and iOS functions (like Android intent filters and iOS ‘open in’). These apps and the other apps that connect to them have access to our likes and preferences, to the stores we shop in, the retailers we visit online, the friends we have brunch with that stick us for $17.99 for that avocado toast (you know who you are). These apps know who we pay, how we pay, when we pay, where we pay, what we pay with, how much we have, our credit scores, and every Uber or Lyft ride we’ve taken at 2am to who knows where. Mobile wallets store credit card numbers, CVV codes, usernames and passwords for apps and websites. And for every little piece of data stored in a mobile app, there is a malware-writer somewhere writing a specifically crafted piece of malware to target it. Why? So they can mine it and monetize it. Google and Facebook aren’t the only ones making money off our data. If mobile data and information are ‘the new gold’, then malware is like a precision-crafted pick-axe used to mine it.
To effectively deal with the problem of mobile malware, you first need to understand it. So before going further, let’s get some definitions down.
What is Mobile Malware?
In short, malware is an umbrella term for describing any software designed to cause harm to a computer, mobile app, user, server, network, or any other digital entity. Simply put, malware serves the malicious purpose of the entity that created it, usually at the expense of a legitimate user of the technology the malware was built to exploit. In other words, software is identified as malware based on its intended use, rather than a particular technique or technology used to build it. Mobile malware comes in many different forms, shapes, and sizes, and its true intent is almost always hidden. In fact, chances are that every person reading this blog has been the victim of or implicit accomplice of a mobile malware operation at some point in time, and most of us (myself included) probably didn’t even know it happened. Now, why do you think that is the case? The reason is simple. Because that is exactly what mobile malware is designed to do.
Malware loves to masquerade, to deceive, to harvest knowledge about an environment or app that weaponizes the app to harm its users, its community, other apps, etc. Malware is not static. It may start off performing one simple function (eg: copying data from a mobile user’s clipboard and sending it to the attacker). But over time, it exploits its surrounding environment to morph into something much more powerful.
Though some mobile malware may be pre-installed, most malware relies on the actions of unsuspecting mobile users to spread and thrive. Malware arrives on devices via sideloaded apps or app stores, through drive-by downloads, through phishing and pharming, through spoofed ‘private’ conversations on popular chat programs like WhatsApp, WeChat, Facebook Messanger, Instagram. Malware and Trojans are often downloaded via alternative, unauthorized or rogue app stores (like Cydia or Sileo). But there’s also plenty of malware that comes from ‘official’ app stores like Google Play and Apple’s App Store as well. In a recent report, researchers analyzed 3,000 of the top applications in the Google Play store and revealed that 63% of the applications contained known security vulnerabilities and malware, with an average of 39 vulnerabilities per app.
A Trojan is a form of malware that relies on deceiving the user into thinking that the program is useful or beneficial to them in some way. But in reality, the program performs actions that harm the user or exploits the user or app to harm other apps or services. The true hallmark of a trojan is that the malware is hidden inside another app that is used as a vessel to carry the malware in (just like the wooden Trojan Horse used by the Greeks to enter the city of Troy and win the Trojan War in the 12th century).
Trojans are generally spread by some form of social engineering. For example, the user is tricked into clicking an email attachment, (e.g., a routine form to be filled in), or by clicking on a fake ad inside a mobile app or redirecting to a website the app connects to. Although trojan payloads can be anything, many modern trojan variants are designed to install backdoors for adversaries that serve as a ‘way in’ to gain access to an otherwise protected or restricted environment at a later date. Fraudsters use backdoors to deliver updates to malware that they had previously managed to get users to install on their devices. An example of a backdoor for delivering malware is ‘Android Unknown Sources’ or ‘Developer Options. There are many malware variants that are specifically designed to trick users into enabling Unknown Sources and Developer Options because an attacker can and will use those channels as a way to remotely control an app via a remote command shell or to establish an open communications channel for a piece of malware to get updates from a C&C control center network (a very common practice for malicious botnets).
Trojans allow an attacker to access users’ personal information such as banking information, passwords, intercept MFA pincodes, or authentication tokens or cookies that can be used in account takeovers (ATO).
Every Trojan Wants to be a RAT
A Remote Access Trojan (RAT) is a type of malware that provides the attacker with full remote control over a system or app from any location (without needing physical access). Among other things, RATs are fantastic tools for data harvesting, surveillance and intelligence collection. RATs can typically access information such as installed applications, call history, address books, web browsing history, and SMS data. RATs may also be used to send SMS messages, enable device cameras, and log GPS data. One of the most infamous examples in recent months was Pegasus, a mobile RAT abused to monitor journalists and activists.
Ransomware attacks often use trojans or RATs as a critical element to acquire the necessary information to conduct an effective extorsion scheme and earn a successful ransom fee, which can command multi-million dollar paydays for fraudsters. For example, Colonial Pipeline is reported to have paid over $4m ransom for the ransomware attack that crippled operations for weeks and threatened the supply energy on the east coast.
The following chart is a list of some of the most popular malware families of 2020. The list features TrickBot at the top of the chart, followed by Gozi and Ramnit. All these trojans are operated by organized groups that offer up varying business models to other cybercrime actors, such as botnet-as-a-service schemes and distribution through compromised assets they control.
Bank trojans are often disguised as legitimate applications and seek to compromise users who conduct their banking business — including money transfers and bill payments — from their mobile devices. This type of trojan usually aims to steal financial login and password details. Eventbot was and still is one of the most formidable mobile banking trojans in recent memory, really went off the rails in stealing private and valuable information from hundreds of mobile banking and financial apps in Android. It’s programmed to tap into Android’s in-built accessibility features and steal data by reading into SMSs, banking PINs, etc.
Ransomware is a type of malware used to encrypt a victim’s data and then lock them out of the device or app. The cyber-criminal then demands a “ransom” payment in exchange for the keys to decrypt the data. — The ransom is usually demanded to be paid in untraceable Bitcoin. Ransomeware attacks are growing at an incredibly fast rate, causing many governments and large commercial entities to issue warnings about the growing threat of ransomware.
Malicious Bot-nets & Click-bots: Advertising Click Fraud is a type of malware that allows an attacker to hijack a device to generate income through fake ad clicks. Bots are particularly worrisome because they can be programmed for very specific purposes or to phone home to receive updates from a C&C command center.
Malvertising is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and web pages.
Recommendation for Developers of Mobile Banking and Fintech Apps
Protect your mobile banking and fintech apps against mobile malware and Remote Access Trojans. The pandemic has moved more and more of your customers to mobile banking. Hackers know this and are looking to take advantage of the situation. By waiting until your apps suffer a mobile breach, you are putting your customers and reputation at risk.