Cybercriminals have reportedly used a multi-vectored methodology to bypass the complex security used by Android apps to access users' banking systems. According to Trend Micro, as many as 34 banks across Europe have been affected by the problem.
In its `Operational Emmental' investigation - so-called because of the Swiss (full of holes) cheese aspect of the Android app security process - Trend says its research has revealed that 34 banks in four countries have fallen victim to a sophisticated spear-phishing and malware campaign.
The key takeout from the investigation, says Christopher Budd, Trend's global threat research communications manager, is that banks in some European countries have implemented 2FA (two factor authentication) security when accessing their online banking.
It also appears that the cybercriminals may have developed methods of side-stepping this extra layer of security.
According to Trend's report on the investigation - entitled `Finding Holes: Operation Emmental - the researchers say that cybercriminals have developed a complex, but effective, method of attacking the latest security countermeasures that protect online banking.
By leveraging the openness of the Android platform to install apps from third-party sides, the report notes, Russian language-speaking attackers are able to marry traditional phishing attacks to get a user's username and password with malicious mobile apps to get the session tokens sent to their mobile devices.
So far, the attacks seem be mainly affecting Android e-banking users in Austria, Switzerland, Sweden, other European countries and Japan.
The analysis - authored by David Sancho, Feike Hacquebord and Rainer Link of Trend's Forward-Looking Threat Research Team - concludes that the Operation Emmental attach methodology is a complex operation that involves several components to defeat a particular online banking protection system used in several countries.
"The infrastructure required to pull the attack off is not inconsequential—the attackers need a Windows malware binary, a malicious Android app sporting various banks' logos, a rogue DNS resolver server, a phishing Web server with several fake bank site pages, and a compromised command-and-control server," it says, adding that the attack vector is one that has likely evolved over time.
"The fact that the most salient part of the attack — the PC malware — is not persistent likely helped the attackers keep a low profile. We believe this allowed them to use different infection strategies, not just through emails, although we have not been able to detect any other means," notes the report.
Trend's report says that protecting users from phishing attacks is often outside the control of the organisation being phished.
Because of this, "bank clients are advised to take all necessary precautions to secure their transactions, especially since the attacks mentioned in this paper occur entirely on their side."
According to Steve Armstrong, technical security director with pen testing specialist Logically Secure, the report highlights another example of Google's Android OS security model being fundamentally flawed.