34 European banks hit by Android app security attacks

News by Steve Gold

Banks need to put their heads together to develop common and more secure methodologies says Sarb Sembhi, STORM Guidance, following operation Emmental.

Cybercriminals have reportedly used a multi-vectored methodology to bypass the complex security used by Android apps to access users' banking systems. According to Trend Micro, as many as 34 banks across Europe have been affected by the problem.

In its `Operational Emmental' investigation - so-called because of the Swiss (full of holes) cheese aspect of the Android app security process - Trend says its research has revealed that 34 banks in four countries have fallen victim to a sophisticated spear-phishing and malware campaign.

The key takeout from the investigation, says Christopher Budd, Trend's global threat research communications manager, is that banks in some European countries have implemented 2FA (two factor authentication) security when accessing their online banking.

It also appears that the cybercriminals may have developed methods of side-stepping this extra layer of security.

According to Trend's report on the investigation - entitled `Finding Holes: Operation Emmental - the researchers say that cybercriminals have developed a complex, but effective, method of attacking the latest security countermeasures that protect online banking.

By leveraging the openness of the Android platform to install apps from third-party sides, the report notes, Russian language-speaking attackers are able to marry traditional phishing attacks to get a user's username and password with malicious mobile apps to get the session tokens sent to their mobile devices.

So far, the attacks seem be mainly affecting Android e-banking users in Austria, Switzerland, Sweden, other European countries and Japan.

The analysis - authored by David Sancho, Feike Hacquebord and Rainer Link of Trend's Forward-Looking Threat Research Team - concludes that the Operation Emmental attach methodology is a complex operation that involves several components to defeat a particular online banking protection system used in several countries.

"The infrastructure required to pull the attack off is not inconsequential—the attackers need a Windows malware binary, a malicious Android app sporting various banks' logos, a rogue DNS resolver server, a phishing Web server with several fake bank site pages, and a compromised command-and-control server," it says, adding that the attack vector is one that has likely evolved over time.

"The fact that the most salient part of the attack — the PC malware — is not persistent likely helped the attackers keep a low profile. We believe this allowed them to use different infection strategies, not just through emails, although we have not been able to detect any other means," notes the report.

Trend's report says that protecting users from phishing attacks is often outside the control of the organisation being phished.

Because of this, "bank clients are advised to take all necessary precautions to secure their transactions, especially since the attacks mentioned in this paper occur entirely on their side."

According to Steve Armstrong, technical security director with pen testing specialist Logically Secure, the report highlights another example of Google's Android OS security model being fundamentally flawed.

"Most of these attacks are focused solely on Android because of the lack of software patches for the OS and the deployment method of waiting for carriers to 'personalise' the new OS and firmware releases. This model is broken because it is not in the carriers and resellers interests for users to update; they would rather get additional sales revenue from new handset sales," he explained.

Armstrong - who is a SANS Institute instructor - went on to say that Apple, on the other hand, has a much better internal security model and users get patches long after the handset has been sold. This service comes with a price tag, but I don't see why users must pay more to be secure in this day and age," he said.

"If Google does not fix this growing problem, then with its new Nokia handset skills, Microsoft could steal a large middle ground between the premium Apple handset and the often orphaned and malware-targeted Android camp. I for one am looking at a Windows phone for my next purchase," he added.

Sarb Sembhi, a director with STORM Guidance, said the findings of the report highlight the need for banks to put their heads together - as other organisations have done - to develop common and more secure methodologies for the mobile phone and software industries to develop.

The attack model, he added, is also highly sophisticated in that the cybercriminals have established five or six fallback positions to employ, in the event that one or more of their attack methodologies are compromised.

"Banks need to understand what attack model the cybercriminals are looking at, and then get together to discuss the issue, most notably how the security of the Android platform can be enhanced to stop things like this going wrong," he explained.     

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews