Mobile malware is becoming more sophisticated and evasive, making detection challenging. According to the McAfee Labs Threats Report for June 2018, mobile malware grew by 42% since last year. Much of this was caused by a rise in the number of mobile banking trojans, which increased by 60% since last year. Data from Kaspersky Labs backs up this trend reporting that in the short time between Q1 and Q2 of this year, the overall number of mobile malware installation packages rose by more than 421,000 compared with the previous quarter.
With the increase in mobile malware, how can banks keep their systems and customers protected? And what is actually so ‘advanced’ about these advanced mobile malware threats?
Four mobile malware families highlighted in the McAfee report pose key threats to mobile banking: Marcher, LokiBot, MoqHao (or Roaming Mantis), and Faketoken & Tordow. The report also states that these malware families combine banking trojans with ransomware in an attempt to monetize the growing use of mobile banking applications.
Family #1: Marcher
Marcher starts by sending phishing emails to users containing links to fake versions of online banking websites. Users enter personal information such as their name, phone number, and password before being asked to download a supposedly updated version of their mobile banking app. The new app looks and feels like the bank's app they are familiar with, but it is actually a malicious third-party application. Once installed, the app secretly records the user's credentials and financial information. To date, nearly 20,000 users have fallen victim to Marcher.
Family #2: LokiBot
LokiBot works by displaying an overlay screen over legitimate apps, allowing it to read user input and app output. LokiBot also includes a ransomware component that locks the phone and encrypts its files if the user tries to disable it, uninstall it, or revoke its administrative rights. This makes it one of the first hybrid malware combining a trojan with ransomware. According to SC Media, LokiBot targets at least 119 banking and communication apps, with 100–2000 instances found in the wild.
Family #3: MoqHao
MoqHao (or Roaming Mantis) uses a technique known as DNS hijacking to redirect users from official websites to malicious ones. With DNS hijacking, users attempting to visit one website are actually redirected to another. For example, when a user connects to a compromised WiFi router, entering a bank URL will redirect the user to a malicious website. The malicious website then duplicates the official bank website’s user data and prompts the user to download a new version of their mobile banking app. Once installed, such apps can steal sensitive information from users' devices before granting the attackers full control. MoqHao has been detected 6,000 times and is discovered most frequently in Asian countries.
Family #4: Faketoken & Tordow
Like LokiBot, Faketoken uses an overlay to capture data entered into banking and payment apps. It targets apps such as Google Pay and the Google Play Store that support linking bank cards in order to make payments. Since it can secretly collect phone call data and SMS messages, it can intercept one-time authorization codes sent from secure services to user devices. Tordow is a similar form of malware that is more commonly spread through third-party app stores. Faketoken and its modifications contain overlays for around 2,000 financial apps.
Image 1 (Source: SecureList): Faketoken.q is capable of overlaying several banking and transactional applications. It monitors active apps, and as soon as the user launches a specific one, it substitutes its UI with a fake one.
How Leading Banks are Tackling Mobile Threats
The spread of mobile banking malware is forcing banks to reevaluate and strengthen their security practices. As explained by Gagan Singh, senior Vice President and General Manager of Mobile at Avast, "We are seeing a steady increase in the number of malicious applications for Android devices that are able to bypass security checks on popular app stores and make their way onto consumers' phones. Often, they pose as gaming and lifestyle apps and use social engineering tactics to trick users into downloading them."
Let’s review two simple tactics banks should on in order to tackle mobile threats:
#1 Teach Your Customers Some ‘Hacks’
Surprisingly, despite ongoing educational campaigns, many users still don't realize the dangers of handling sensitive information online. In addition, malware developers are making it harder to differentiate between malicious apps and genuine ones. Despite these apps having to specifically request permission to access the user's device, users who don't recognize the risk are putting themselves and their contacts at risk.
To reduce their risk, banks are advised educate customers about mobile banking threats and familiarize customers with easy ‘hacks’ to protect themselves. Here are a few optional tips banks can provide their customers:
- Only install apps from an official app store or other trusted source
- Review the permissions requested by each app during and after the installation process
- Avoid clicking links in emails that require to log into an app
#2 Designing Internal Systems with Security in Mind
Banks can also protect their customers by building security into their systems from the start. If an attacker gains even limited access to internal systems, they can potentially run phishing campaigns that appear to originate from the bank itself. Not only should internal systems be hardened against intrusion, but employees should receive frequent training on secure practices. This includes training developers on writing secure code.
Preparing for Future Threats
New threats are always emerging, and cybersecurity is constantly evolving to address those threats. Banks continue to do their diligence in best protecting themselves and their customers through ongoing education, implementing security best practices, and monitoring for new developments in the mobile threat landscape.