Mobile Banking fraud – part 2

Mobile Banking fraud – part 2

By Andy Gent

In the second part of our series on mobile banking, we look at some of the risks from Trojan and spoof apps.

Imitation, Trojan or spoof apps can be a real problem in today’s mobile marketplace, but are relatively easy to spot if you remain vigilant.  The name ‘Trojan’ comes from the tale of the Greek Wars and the ‘Trojan Horse’ the Greeks used to infiltrate the City of Troy undetected and ultimately end the ten year siege on the City.  A classic Trojan is a ‘keylogger’ which will log all of the keystrokes a user makes on a computer, in order to send the numbers and letters on to a third party.  The third party would then be able to decipher usernames, passwords and other personal details.  Others can force pop-ups and add fields on to website catchment pages.

Because of its open source platform Android, the most popular of the mobile operating systems, is particularly susceptible to this problem.  FAKEBANK is an imitation app targeting Android which installs on the phone as a Google Play Store icon to try and remain undetected.  When it knows which genuine banking app is used it creates a fake version and any information entered into this app, such as usernames and passwords, is sent to a third party.  This Trojan in particular can also intercept and transmit SMS messages and call logs.

Fake token generators and other banking related apps are also targeted, due to potential input of personal information.  The FAKETOKEN malware poses as a fake token generator that has a surprising resemblance to the official apps.  During execution it asks for the user’s password and continuously generates an error message if the user refuses.  When the user enters their password, the app generates a false token whilst transmitting the personal information it has gained to a third party.  This piece of malware can either be unwittingly downloaded by visiting malicious websites or manually installed by the user.  To manually install malware of this type, a user would have either downloaded an application of unknown or vague origin, or have downloaded an application from a source other than the manufacturers’ dedicated application store.  Be wary of any app icon that appears on your phone more than once, or any app that you don’t recognise at all.

The DENDROID malware, which is usually manually installed, comes packaged with other malware or ‘grayware.’ Grayware is the name given to programs that are not as serious or destructive as malware, but are still troublesome and undesirable.  An example of Grayware would be spyware software that records web surfing habits for the purposes of targeted marketing.  If this kind of greyware was downloaded by the user, the DENDROID malware could be hidden in the background, allowed to install because it would be sharing the permission given to the greyware.  The DENDROID malware allows a remote user to access the infected device where they can change settings, data and permissions in order to steal personal information.  DENDROID is a far more invasive and serious malware similar to the ANDROID_KSAPP.A spying tool.  As of Trend Micro’s last count, there were 1.4 million malicious and high-risk Android apps.  It is expects this number to keep rising.

The new Android Master Key Vulnerability has also put some people off of the idea of mobile banking, but precautions taken by Google now make these worries unfounded.  The Master Key Vulnerability allows malicious code to be inserted into legitimate apps.  The vulnerability relates to the apps’ digital signature and how this affects the update process.  When exploited, attackers can update an application that is already installed on your phone, without needing this digital signature that informs the app the update is official.  To protect your phone, ensure that the ability to install applications and updates from outside Google Play store is disabled.  Google have also modified the store to block any apps that try and take advantage of this vulnerability.

Common app permissions that are exploited by Trojan apps include ‘view WIFI state’, which will give an app access to WIFI network information.  This can be used to steal the WIFI passwords of the networks you connect to and allow cybercriminals to hack in and steal information from any of the devices connected to it.  ‘Retrieve running apps’ lets an app identify the running processes on your phone and will allow malware to ‘kill’ processes integral to your phone’s security.  The ‘Full internet access’ permission can be used by malware to communicate with remote command centres, transfer information or download malicious updates from them onto your phone.  The ‘Read phone state and identify’ permission can be used by malware for information grabbing, as it will allow the programme to see your IMEI, phone number and active calls.  A commonly requested permission by malware is ‘automatically start at boot’, as it will allow the programme to start automatically when the phone is switched on and continuously run in the background.  When downloading an app, ensure you read the permissions the app wants to be given before downloading it.  If it seems like the app is asking for too much, avoid it where possible.

As the most popular, the Android platform is targeted by cybercriminals more than any other mobile operating system, both to exploit innate vulnerabilities and to install malicious programmes.  Whilst this means that users do need to be more vigilant when using their phones, it also means that intercepting these attacks is a top priority for Google and the device manufacturers.  Ensure you keep both your phone’s software and the applications within it up to date.