Security researchers have found a new strain of malware targeting banking apps on Android devices.
Called Android.banker.A2f8a, researchers at Quick Heal Security Labs said that the malware has targeted more than 232 banking apps, stealing login credentials, hijacking SMSs, uploading contact lists and SMSs on a malicious server. It also displays an overlay screen (to capture details) on top of legitimate apps.
The malware being distributed through a fake Flash Player app on third-party stores. Bajrang Mane, a researcher at Quick Heal Security Labs said that this not surprising given that Adobe Flash is one of the most widely distributed products on the Internet.
He added that after installing the malicious app, it will ask the user to activate administrative rights. And even if the user denies the request or kills the process, the app will keep throwing continuous pop-ups until the user activates the admin privilege. “Once this is done, the malicious app hides its icon soon after the user taps on it,” said Mane.
He said that the app carries out malicious tasks – it keeps checking the installed app on the victim's device and particularly looks for 232 apps.
“If any one of the targeted apps is found on the infected device, the app shows a fake notification on behalf of the targeted banking app. If the user clicks on the notification, they are shown a fake login screen to steal the user's confidential info like net banking login ID and password,” said Mane.
The malware can also read all incoming and outgoing texts and can also bypass the OTP-based two-factor authentication on the victim's bank account. It can also change the device's ringer volume to silence text message notifications.
Mane said that users should avoid downloading apps from third-party sources or from links sent via text messages or emails.
“Always keep ‘Unknown Sources' disabled. Most importantly, verify app permissions before installing any app even from official stores such as Google Play. Always keep your device OS and mobile security app up-to-date,” he added.
Tertius Wessels, product manager at Entersekt, told SC Media UK that when a customer accepts a notification sent by the malware, they will typically be redirected to a fraudulent website and prompted to enter their login details. In so doing, fraudsters exploit a key vulnerability in authentication methods – even multi-factor authentication methods.
“When a customer has to enter sensitive information such as a PIN or one-time password into the same channel where they had logged in to their online banking platform or initiated a payment, for example, it enables a fraudster listening in on or tracking that channel to capture the sensitive information,” he said.
“The importance of using an out-of-band channel for communications between banks and customers cannot be stressed enough. In an approach where a separate, secured and encrypted channel is established between the bank and the customer's uniquely identified and verified mobile phone, for example, a fraudster will not receive authentication requests pushed to the customer's mobile device. So even if the fraudster could gain access to a customer's online or mobile banking platform, they would not be able to complete any sensitive transactions."
Robert Capps, vice president at NuData Security, told SC Media UK that this banking trojan is not only able to spy the credentials entered by the user, but it's also able to intercept incoming and outgoing SMS. “This means that bad actors can successfully pass the two-factor authentication step that is based on SMS codes,” he said.
“This attack is a good reminder that security layers have to be combined with passive behavioural technology to provide better security for customers and companies. Online businesses need to employ a holistic risk-based authentication infrastructure that looks across multiple vectors of the user's behavioural interaction such as device intelligence, connection, behavioural analytics, and passive and active biometrics. This creates a dynamic and intelligent authentication solution that can't be duplicated by third parties.”
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout