Information Technology security experts have said malwares targeting banking apps remain one of the biggest threats to mobile banking and mobile banking customers in 2022. But one thing Android Banking Trojans share in common is that they abuse the application programming interface (API) of the Android Operating System (OS) before launching attacks. Though Google is aware that their service, designed to help people with disabilities access their device and the apps on their device, is being abused by bad actors to commit mobile banking fraud on unassuming consumers, this has been going on despite the introduction of restrictions in November to stop criminals from taking advantage of the service.
ThreatFabric reported that over 300,000 Android smartphone users downloaded what turned out to be banking trojans after falling victim to malware that bypassed detection by the Google Play app store.
- National Assembly stops state, LG joint account, rejects slots for women
- Life returns to Kogi community after 8 years of bloody communal clash
This fraudulent activity resulted in significant financial loss for the targeted banks. The ThreatFabric equally reported that dropper apps used in these attacks all have a very small malicious footprint. The report concluded that this small footprint is a (direct) consequence of the AccessibilityServices API permission restrictions enforced by Google Play.
It is not clear if Nigerian banks lost money to the fraudulent activity, but the Nigerian Communications Commission (NCC) at the weekend said Nigeria was targeted by cybercriminals who sent out malware to attack the banking apps of bank customers.
The NCC’s Computer Security Incident Response Team (CSIRT) on Saturday discovered a newly-hatched malicious software that steals users’ banking app login credentials on Android devices.
According to a security advisory from the NCC CSIRT, the malicious software called “Xenomorph”, found to target 56 financial institutions from Europe, has a high impact and high vulnerability rate.
NCC in an advisory issued to notify Nigerians of the dangerous software said the main intent of Xenomorph is to steal credentials, combined with the use of SMS and notification interception to log in and use potential 2-factor authentication tokens.
“Xenomorph is propagated by an application that was slipped into Google Play store and masquerading as a legitimate application called “Fast Cleaner” ostensibly meant to clear junk, increase device speed and optimize the battery. In reality, this app is only a means by which the Xenomorph Trojan could be propagated easily and efficiently”, NCC’s spokesman Ikechukwu Adinde said in the advisory.
To avoid early detection or being denied access to the PlayStore, “Fast Cleaner” was disseminated before the malware was placed on the remote server, making it hard for Google to determine that such an app is being used for malicious actions, Adinde added.
Once up and running on a victim’s device, the NCC said, Xenomorph could harvest device information and Short Messaging Service (SMS), intercept notifications and new SMS messages, perform overlay attacks, and prevent users from uninstalling it.
The threat also asks for Accessibility Services privileges, which allow it to grant itself further permissions, according to NCC.
The NCC said the malware also steals victims’ banking credentials by overlaying fake login pages on top of legitimate ones.
Considering that it can also intercept messages and notifications, it allows its operators to bypass SMS-based two-factor authentication and log into the victims’ accounts without alerting them, NCC further said.
“Xenomorph has been found to target 56 internet banking apps, 28 from Spain, 12 from Italy, 9 from Belgium, and 7 from Portugal, as well as Cryptocurrency wallets and general-purpose applications like emailing services. The Fast Cleaner app has now been removed from the Play Store but not before it garnered 50,000+ downloads,” the CSIRT security advisory asserted.
“The Nigerian Communications Commission hereby wishes to advise telecom consumers to be on alert in order not to fall victim to this manipulation. Accordingly, the NCC urges telecom consumers and other Internet users, particularly those using Android-powered devices to use trusted Antivirus solutions and update them regularly to their latest definitions. The Commission also implore consumers and other stakeholders to always update banking applications to their most recent versions.” it said.
How mobile banking users can combat malware
In 2017, Symantec estimated that there was a cumulative amount of 27,000 mobile malwares operating mainly from insecure third-party app websites, whereas 5,932 new malware variants appeared during the year. The latter figure increased by 40 per cent in 2018 with 2,328 new mobile variants.
When publishing an application, bank and payment service providers should consider the risks that their application will be reversed or hacked via malware. The first task, according to https://www.appdome.com is to educate their customers:
Customers should always install the software updates;
Customers should never install files from links in SMS;
Customers should never disable the built-in Android security that prevents installing apps downloaded from unknown sources;
Customers should not root or “jailbreak” their tablets or phones.
But this is far from being enough to create strong security for their mobile apps. Hackers are malicious by nature and will always find a flaw in the system. Mobile OSs are vulnerable by nature and need additional security
Banking apps cannot rely on mobile OS security features alone and Android is the prime target for attacks in the mobile space.
But Payment Service Directive 2 (PSD2) allows mobile banking to use third-party applications and eventually, social websites. Therefore, developers may be forced to use potentially not-very-secure remote APIs, which opens the door to additional threats. For example, The API that connects the mobile phone app with the third-party server could be reverse-engineered and attacked by hackers. The cryptographic key used by the API could also be located in the mobile app code and exploited by criminals. Additional app-specific defense mechanisms can help protect the applications in such cases.
Large companies like Google or Apple seem to be unable to completely prevent fake applications from being distributed through their secure web stores, Google Play and Apple Store. Such fake apps can take partial or even total control of the mobile phone, steal data, and impact other banking applications installed on the same phone or tablet.
While there are some cases of apps containing malware that are allowed to be published on the official app stores, the app stores are still a much safer place than sideloading apps from unknown sources. The risk of sideloaded apps are low on iOS if the device has not been jailbroken.
Recommended security model to protect mobile banking apps against all mobile banking Trojans
As most security professionals will say, there is no silver bullet in security. The only good security model is a layered security model. As such, recommended solution to protect banking apps against all mobile banking trojans is a layered defense. First, the app should be protect against all static code analysis attempts so that the fraudster cannot learn the app logic. Next, the app should be protected against dynamic code analysis attempts. To do so effectively, the app should have a layered run-time defense starting with self-defending app shielding to protect the app against debugging, tampering and reverse-engineering attempts. Next, developers should protect all the data stored in the sandbox as well as throughout the code of the app with AES-256 encryption. The developers should prevent the app from running on devices with a compromised OS; typically jailbroken or rooted devices. And the final step to prevent hackers and fraudsters from learning how the app functions is to ensure a secure communication between the app and the mobile back end and protect against network-based attacks such as Man-in-the-Middle attacks.
Once you prevent a hacker from using static and dynamic analysis against the app, the developer should prevent fraudsters from using malware to defraud the victims (users of the mobile banking app). Again, a good defense is a layered defense. To start, the banking app should be able to detect any application on the device that has too many accessibility services permissions. This abuse of the AccessisibiltyServices API is common with all Trojans and RATs. In addition, the app should stop the use of custom keyboards that may include keylogger software used to exfiltrate keystroke information and detect and prevent screen overlays attacks from displaying a fake screen on top of the app screen.
Finally fraudsters regularly abuse powerful developer tools to attack mobile banking apps. Experts said mobile app developers should detect and block the use of Android Debug Bridge, Magisk Manager and Frida.
Additional information sourced from www.appdome.com and www.cryptomathic.com.