Mirror, Mirror on the Wall: Who’s the Most Malicious of Them All?
Banking Trojans are one of the main drivers of malicious activity targeting mobile and have successfully stolen many millions of dollars from private bank accounts. By creating overlays that mimic legitimate banking applications, the Trojans trick unaware users into handing over their banking details and, in many cases, they then intercept the SMS messages sent by apps as part of 2-step authentication.
As smartphones increasingly become the core of our customers’ financial lives, their worth to the malware community continues to rise – and so, the threat grows. How then can we successfully protect our customers from mobile banking fraud including banking Trojans, RATs, bots and emulators, without access to the magic mirror that distinguishes between legitimate human traffic, automated fraud attacks and malicious malware?
Foul Play on Google Play
Until recently, banking Trojans were primarily associated with third-party app stores. As a result, their reach was limited. But no longer. In 2017, several banking malware apps broke through into Google Play – allowing them to get to a much wider audience.
First, ESET reported that a new version of a malware called Charger was uploaded to Google Play on March 30 and installed by up to 5,000 unsuspecting users before being removed on April 10. Charger involves the use of fake screens that look like legitimate banking apps, and uses heavy obfuscation of malicious code to avoid detection.
ESET also reported the use of another malware on Google Play called Good Weather, which belongs to the BankBot family. BankBot targets customers of more than 429 banks around the world and has the capability to intercept SMS messages, obtaining security information sent by banks as part of 2 factor authentication.
Making matters worse, additional mobile malware infiltrated Google Play in several separate campaigns that emerged after open source malware was published on a malware developer platform.
Banking Trojans are Here to Stay
This kind of increased malware activity certainly was not new to 2017 and is even less new to 2018. Rather, it came on the heels of increased attacks by Trojans on mobile users throughout 2016, which caused damage to financial institutions and involved not just loss of money, but also had an impact on reputation and customer trust.
GM Bot, in particular, targeted hundreds of thousands of users in the last quarter of 2016 alone – specifically customers of more than 50 banks around the world including Citibank, ING, and Bank of America.
The source code for the malware leaked online in February according to PinDrop, and other malware authors adapted the technique to create similar offerings that are cheaper. While GM Bot can cost $15,000, its alternatives cost between $3,000 and $6,000 – according to Executive Security Advisor at IBM, Limor Kessem.
Mobile Banking Fraud Detection
According to Symantec’s ISTR Threat Report 2017, mobile banking malware targeted at least 170 apps for credential stealing. The Symantec report also revealed that three threat families were responsible for 86% of all financial threat attacks in 2016: Ramnit, Bebloh and Zeus.
Even in cases where a threat family has all but disappeared, new variants can and do re-appear on the market. For example, because of a takedown operation against Ramnit in 2015, the threat became dormant – but it reappeared in 2016 and dominated the financial Trojan landscape.
Email attachment campaigns can be particularly problematic. According to email security provider Proofpoint, banking Trojans were identified in a whopping 33% of malicious email attachment campaigns tracked in Q1 of 2017. Just for the sake of comparison: Proofpoint found ransomware in only 22% of the tracked campaigns.
The Broader Threat Landscape
Banking Trojans represent over 95% of mobile malware using social engineering techniques to lure users. But the growing threat of mobile malware should be viewed against the broad growth of a wide range of threats.
“The threat landscape of Q2  provides yet another reminder that a lack of vigilance is one of the most significant cyber dangers. While vendors patch vulnerabilities on a regular basis, many users don’t pay attention to this, which results in massive-scale attacks once the vulnerabilities are exposed to the broad cybercriminal community,” stated Alexander Liskin, security expert at Kaspersky Lab.
To illustrate Liskin’s point it’s worth noting that in Q2 alone Kaspersky reported:
- Repelling 342,566,061 malicious attacks from online resources in 191 countries
- Discovering attempted infections by malware designed to steal money (via online access to bank accounts) on 224,675 user computers
- Blocking over 5 million attacks involving exploits from archives leaked on the web
- For many financial institutions, traffic generated by bots can account for up to 60% of their overall website traffic.
How Do They Do It?
Mobile malware comes in a variety of forms.
- A common attack vector is RATs, Remote Access Trojans, which allow attackers to access nearly all device functions to exfiltrate sensitive data and steal money. Examples of RATs used in online banking fraud using financial malware include SpyNote, OmniRAT, and Dendroid. RAT attacks can also be leveraged to formulate a botnet - internet-connected devices controlled remotely by a common type of malware - and are much higher scaled threats.
- Mobile ransomware is another form of malware and is used to lock infected devices, or to encrypt files and folders located on a device. Users must pay in order to unlock a device or regain access to their files.
- Whereas the previous types of attacks target and exploit the end user, emulators - software simulations of devices that behave the same way as physical devices - target the service provider’s backend - i.e. the banks. Attackers leverage emulators to deceive device identification and automated risk-management solutions to carry out fraudulent activities. Financial institutions and banks must continue to be vigilant about identifying traffic from emulators.
- Banking Trojans modify the user’s experience using overlays and intercept communications in order to commit financial fraud. Mobile banking Trojans are an extension of mobile phishing and social engineering attacks.
Best Tools for Mobile Banking Fraud
Continuous authentication is one of the most effective tools in identifying the most common types of fraud attacks. By authenticating the user continuously throughout the length of the entire session, session takeovers can be prevented, stopping sophisticated fraud attempts in their tracks.
Continuous authentication provides a high level of fraud protection for the mobile banking sector... but is this enough? To prevent automated fraud attacks in 2018 and beyond, tools must continue to be developed that differentiate between human and non-human behavior; your customers deserve to be more confident in the bank's ability to protect their assets. More on this to come.