Anti-Malware , Fraud , Phishing

Updated Mobile Malware Targets Android

Criminals Continue to Refine Mobile Banking Trojans
Updated Mobile Malware Targets Android

Security experts say that most Android malware fits into one of two buckets: either it's designed to steal one-time codes used to authenticate online transactions, or it's designed to trick users into divulging their online banking credentials or payment card details via a phishing attack.

See Also: Hide & Sneak: Defeat Threat Actors Lurking within Your SSL Traffic

For example, the latest strain of dangerous Android malware called SlemBunk has continued to target mobile banking application users by trying to trick users into sharing credentials. "SlemBunk apps masquerade as common, popular applications and stay incognito after running for the first time," researchers from security firm FireEye say in a Dec. 17 blog post. The app uses a fake screen - hence a phishing attack - to try and "harvest authentication credentials when specified banking and other similar apps are launched." FireEye says related attacks continue to be active, and are targeting users in North America, Europe and Asia-Pacific, although the majority have been aimed at mobile banking users in the United States and Australia.

When SlemBunk first appeared, it was designed to target various social-networking credentials, including for Facebook, FireEye says. More recently, however, the Trojan has been adapted to also target credentials for targeting popular banking and financial apps. "As SlemBunk expands its coverage of banks, its code has also become more sophisticated," FireEye says. "Notably, later samples utilize different techniques to obscure potential reverse engineering. ... In a few cases, SlemBunk authors took advantage of a commercial packer, DexProtector, which was designed to protect apps from being pirated. However, when used by a malicious application, it raises the difficulty for the analysis process."

Mobile Malware: Volume Increasing

For years, security experts have predicted that mobile malware will pose the next big threat to enterprise information security environments. And while the prevalence and sophistication of mobile malware continues to increase, there have yet to be any reports of a cybercrime "big bang" that overwhelms mobile endpoints en masse, leading to massive data breaches or fraud spikes.

Instead, the quantify of malware that targets devices that run the Android mobile operating system continues to increase, as well as to belatedly mirror what's happening in the world of PC malware (see Malware Hides, Except When It Shouts).

For example, security firm Kaspersky Lab reports that after PC-based ransomware debuted in 2013 - with CryptoLocker - it then appeared on Android devices in 2014 (see Refined Ransomware Streamlines Extortion). So far in 2015, meanwhile, it says that 17 percent of all ransomware infections have been on Android devices.

According to research conducted by anti-malware software vendor G Data Software, it logged 1.5 million new Android malware samples in 2014. From January to September of this year, furthermore, it had already seen 1.6 million mobile malware samples.

Top Android Malware: Faketoken, Marcher

Cyberattacks in 2015: Exploits used, by type of application attacked. (Source: Kaspersky Lab)

Kaspersky Lab reports that so far in 2015, attacks against Android devices have accounted for 14 percent of all attacks seen in the wild. Likewise, two Android banking Trojans - Faketoken and Marcher - feature in the top 10 list of most-seen malware for the year, which collectively attacked about 5 percent of all users.

Faketoken is malware that is designed to intercept the one-time mobile transaction authentication number (mTAN) or one-time password (OTP) that some banks send to a mobile device, which must be used to confirm an online transaction. Kaspersky Lab says related attacks first begin with attackers tricking users into installing PC-based malware, which intercepts a user's online banking credentials and then uses Web injections to alter the appearance of the user's online banking account and instruct them to download an Android application that is supposedly required to verify their transactions, but which is really Faketoken. Attackers can then transfer money out of the victim's account, and use the intercepted mTAN to authorize the transaction.

By contrast, the Marcher Android malware is designed simply to trick users into entering their online banking credentials or payment card details into a fake window, Kaspersky Lab says, noting that the malware only launches if the user opens Google Play, or the mobile app for an unnamed European bank. "If the user starts Google Play, Marcher displays a false window requesting credit card details which then go to the fraudsters," it says. "The same method is used by the Trojan if the user starts the banking application," except that it requests their online banking credentials.

Malware Spoofs Major Banks

The latest version of SlemBunk also follows that formula, spoofing mobile banking apps from 31 well-known global banking institutions, as well as imitating apps provided by two "popular" mobile payment service providers. FireEye did not identify any of these banks or the payment service providers, or immediately respond to a related request for comment. As with many other types of malware, the latest versions of SlemBunk get distributed through pornography websites, many of which also prompt users to download a fake Adobe Flash update that is malicious, FireEye warns.

"While financial gain is the primary goal of this malware, SlemBunk is also interested in user data," the FireEye researchers note in their blog. "This is reflected by its attempt to hijack the login credentials of high-profile Android applications, including popular social media apps, utility apps and instant messaging apps."

The rise of SlemBunk shows that mobile malware has become more sophisticated and targeted, and involves more organized efforts to steal more sensitive and personal information, the researchers say. "We do not expect this type of activity to go away anytime soon."

The Outdated Android Problem

Information security experts say that cybercriminals typically seek high-impact attacks that can generate maximum profit for minimum effort. And the continuing focus on mobile malware suggests that attackers believe there are profits to be made by hacking mobile devices.

"Mobile devices are the new front for cybercrime - the earlier a bank acts, the sooner criminals find other targets," says Al Pascual, director of fraud and security at Javelin Strategy & Research. "To manage this growing threat, bankers should apply a holistic approach, including account-holder education on mobile security best practices, biometric authentication in the mobile app, and strong back-end account security, such as behavior metrics, device fingerprinting and transaction analysis."

But banks' efforts are being subverted in part by many Android device manufacturers failing to keep their customers' devices updated with the latest operating system updates and security patches. According to research conducted by G Data in October, for example, few Android devices today are secure. "Over 80 percent use an outdated operating system that contains known security holes, and almost 12 percent are still using Froyo and Gingerbread - versions that are around five years old." And increasingly, it seems, attackers are being attracted to target those devices with mobile malware.

Executive Editor Mathew J. Schwartz also contributed to this story.


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network