• Thu. May 19th, 2022

How to guard against malware targeting mobile banking apps

IInformation technology security experts have said malware targeting banking apps remains one of the biggest threats to mobile banking and mobile banking customers in 2022. But one thing that Android banking Trojans have in common is that they abuse the application programming interface (API) of the Android operating system (OS) before launching attacks. Although Google is aware that its service, designed to help people with disabilities access their device and apps on their device, is being exploited by bad actors to commit mobile banking fraud on low-income consumers, this continues despite the introduction of restrictions in November to prevent criminals from taking advantage of the service.

ThreatFabric reported that more than 300,000 Android smartphone users downloaded what turned out to be banking Trojans after falling victim to malware that bypassed detection by Google Play’s App Store.

This fraudulent activity resulted in significant financial losses for the targeted banks. ThreatFabric also reported that the dropper apps used in these attacks all have a very small malicious footprint. The report concluded that this small footprint is a (direct) consequence of the AccessibilityServices API permission restrictions enforced by Google Play.

It is unclear whether Nigerian banks lost money from the fraudulent activity, but the Nigerian Communications Commission (NCC) said over the weekend that Nigeria was being targeted by cybercriminals sending malware to attack the banking applications of bank customers.

The NCC’s Computer Security Incident Response Team (CSIRT) discovered newly hatched malware on Saturday that steals users’ banking app login credentials on Android devices.

According to a security advisory from the NCC CSIRT, the malware called “Xenomorph”, which targets 56 European financial institutions, has a high impact and a high vulnerability rate.

NCC, in a notice issued to inform Nigerians of the dangerous software, said that the main intention of Xenomorph is to steal credentials, combined with the use of SMS and notification interception to log in and use potential 2-factor authentication tokens.

“Xenomorph is spread by an app that slipped into the Google Play Store posing as a legitimate app called ‘Fast Cleaner’, apparently intended to clean up junk files, boost device speed and optimize battery life In reality, this app is just a means through which the Xenomorph Trojan could spread easily and efficiently,” NCC spokesperson Ikechukwu Adinde said in the notice.

To avoid early detection or being denied access to the PlayStore, “Fast Cleaner” was released before the malware was placed on the remote server, making it difficult for Google to determine that such an app is in use for malicious actions, Adinde added.

Once operational on a victim’s device, the NCC said, Xenomorph could harvest device and short message service (SMS) information, intercept notifications and new SMS messages, perform overlay attacks, and prevent users from uninstalling it.

The threat also requests Accessibility Services privileges, allowing it to grant itself other permissions, according to NCC.

The NCC said the malware also steals victims’ banking credentials by overlaying fake login pages on top of legitimate ones.

Considering that it can also intercept messages and notifications, it allows its operators to bypass SMS two-factor authentication and log into victims’ accounts without alerting them, NCC added.

“Xenomorph was found to target 56 online banking apps, 28 from Spain, 12 from Italy, 9 from Belgium and 7 from Portugal, as well as cryptocurrency wallets and general-purpose apps like mobile services. The Fast Cleaner app has now been removed from the Play Store, but not before garnering over 50,000 downloads,” the CSIRT security advisory asserted.

“The Nigerian Communications Commission hereby wishes to advise telecommunications consumers to be on alert so as not to fall victim to this manipulation.to. Accordingly, the NCC urges telecommunications consumers and other Internet users, especially those using Android devices, to use reliable anti-virus solutions and update them regularly with their latest definitions. The Commission also urges consumers and other stakeholders to always update banking apps to their latest versions. It said.

How Mobile Banking Users Can Fight Malware

In 2017, Symantec estimated that there was a cumulative count of 27,000 mobile malware operating primarily from untrusted third-party application websites, while 5,932 new malware variants emerged during the year. The latter figure increased by 40% in 2018 with 2,328 new mobile variants.

When releasing an app, banks and payment service providers should consider the risks of their app being reversed or hijacked by malware. The first task, according to https://www.appdome.com is to educate their customers:

Customers should always install software updates;

Customers should never install files from links in SMS;

Customers should never disable Android’s built-in security which prevents the installation of apps downloaded from unknown sources;

Customers should not root or “jailbreak” their tablets or phones.

But this is far from enough to create strong security for their mobile applications. Hackers are malicious by nature and will always find a loophole in the system. Mobile operating systems are inherently vulnerable and require additional security

Banking apps cannot rely solely on the security features of mobile operating systems and Android is the primary target of attacks in the mobile space.

But Payment Services Directive 2 (PSD2) allows mobile banking to use third-party apps and possibly social websites. As a result, developers may be forced to use potentially insecure remote APIs, which opens the door to additional threats. For example, the API that connects the mobile phone app to the third-party server could be reverse-engineered and attacked by hackers. The cryptographic key used by the API could also be found in the code of the mobile application and could be exploited by criminals. Additional application-specific defense mechanisms can help protect applications in such cases.

Big companies like Google or Apple seem unable to completely prevent the distribution of fake apps through their secure online stores, Google Play and Apple Store. These fake apps can take partial or even full control of the mobile phone, steal data and impact other banking apps installed on the same phone or tablet.

Although there are some cases of apps containing malware that are allowed to be published on official app stores, app stores are still a much safer place than sideloading apps from sources. unknown. The risk of side apps is low on iOS if the device has not been jailbroken.

Recommended security model to protect mobile banking applications against all mobile banking Trojans

As most security professionals will say, there is no silver bullet when it comes to security. The only good security model is a layered security model. As such, the recommended solution to protect banking apps against all mobile banking Trojans is a layered defense. First, the application must be protected against all attempts to analyze static code so that the fraudster cannot learn the logic of the application. Next, the application must be protected against attempts to analyze dynamic code. To do this effectively, the application must have a layered runtime defense starting with self-defending application shielding to protect the application against debugging, tampering, and reverse engineering attempts. Next, developers must protect all data stored in the sandbox as well as in application code with AES-256 encryption. Developers should prevent the app from running on devices with a compromised operating system; usually jailbroken or rooted devices. And the final step to prevent hackers and fraudsters from learning how the app works is to ensure secure communication between the app and the mobile back-end and protect against network-based attacks such as Man-in-the-Middle attacks.

Once you have stopped a hacker from using static and dynamic analysis against the application, the developer must stop the scammers fromm use malware to defraud victims (mobile banking app users). Again, a good defense is a layered defense. For starters, the banking app must be able to detect any app on the device that has too many Accessibility Services permissions. This abuse of the AccessisibiltyServices API is common to all Trojans and RATs. Also, the app should stop the use of custom keyboards which may include keylogger software used to exfiltrate keystroke information and detect and prevent screen overlay attacks from displaying a fake screen on top of the app screen.

Finally, fraudsters regularly abuse powerful developer tools to attack mobile banking apps. Experts said mobile app developers should detect and block the use of Android Debug Bridge, Magisk Manager, and Frida.

Additional information from www.appdome.com and www.cryptomathic.com.