The battle against mobile banking trojans

Mobile malware poses a massive threat to banking apps, and the stakes are just as high for both mobile banking customers and the banks themselves.

For end users - now more susceptible to being tricked than ever before - the impact of malware ranges from financial loss, to identity theft and having their sensitive personal data stolen. Attacks can result in long-term financial and emotional trauma.

Beyond financial losses and regulatory penalties, banks risk the permanent erosion of customer trust and the irreparable harm that can cause to their reputation and long-term viability.

Here at Licel, our threat intelligence platform, Alice, is constantly monitoring the threat  landscape of the financial sector. What it tells us is that there are now more devices than you would imagine out there with dangerous forms of mobile banking trojans installed on them. And that poses a problem if your application is also on that device. 

Threat monitoring combined with reliable anti-malware measures are absolutely vital in making applications (and the mobile device in general) trustworthy. 

In this article we’ll explore the current state of play with mobile malware, we’ll tell you what some of the most sophisticated mobile banking trojans are capable of, and then we’ll explain how we tackle the mobile malware threat here at Licel.

The seriousness of the threat to the financial industry can be gauged by the fact that there are currently around one hundred thousand malware programs active. Almost all of them are designed to target applications and end user data in some way, though some of them are more dangerous than others. 

Many forms of malware, including keyloggers and spyware, have broad targets and objectives. They are sent out into the wild in the hope they inadvertently get downloaded onto a victim’s device and can cause a little bit of chaos.  

But it’s malware that specifically targets banking apps (mobile banking trojans) that you have to be most mindful of. Banking trojans are laser focused on their goal of targeting specific financial apps and SDKs and stealing funds and sensitive user data.

Some of them are designed in such a way that they can lie dormant until the target banking app is opened on an end user device. Others have even been programmed to override biometric authentication on a device. 

This threat is made worse by the fact that the malware delivery mechanism is getting more polished. There are a variety of ways in which malware finds its way onto a mobile device, but they all tend to rely on the end user of a device being tricked in some way. And a combination of AI making phishing scams more convincing and people being more digitally distracted than ever before means attacks are finding their target with more regularity.   

Here at Licel we recently had a candid conversation with the CISO of a financial institution who told us that bad actors had managed to clone the company’s app and had then begun a kind of marketing campaign of sorts to convince people to download this bogus version laced with malware. The attackers used marketing materials the bank itself had created to advertise their malicious version. They then spent several months gathering intelligence about customers so that they could even more convincingly imitate the bank when they came to launch their attack.   

This sophisticated strategy highlights that the fight against malware is multi-faceted, and that education about social engineering should be included as part of a holistic security approach alongside robust, technical defensive mechanisms (which we’ll cover later in this article).

Our threat intelligence platform, Alice, has identified countless banking trojans in the environment of our clients’ applications in the last year or so. But some usual suspects have appeared again and again in that time, including Octo, Godfather, Ermac, Anatsa, Phoenix, and EventBot. 

The attack method for each tends to be similar: a seemingly-legitimate and benign application (often related to time management, cleaning, or battery optimization) is downloaded by the end user. But unbeknown to the victims, this is actually a trojan dropper app either with the malicious payload embedded or downloaded by request from a command and control center.

Whichever way it happens, the end result is the same: the malware is successfully installed on end users’ devices, almost always without them being aware of it. 

Banking trojans targeting the Android platform will often look to exploit Accessibility Services - a set of functions with the noble intention of helping people with disabilities to make the most of their phone. It has become a key target because of the permissions that Accessibility Services provides - permissions such as gaining access to SMS texts and notifications, viewing their contact lists, recording users’ on-screen activity, making calls from the device, and writing to external storage. 

It’s clear that, in the wrong hands, this service can result in sensitive personal data being gleaned much more easily.    

Most of the sophisticated banking trojans we listed above are programmed to log keystrokes, carry out overlay attacks to capture credentials, harvest contact information, and even put in place measures that make it impossible for the malware to be uninstalled or for antivirus engines to detect it. 

Remember, the ultimate goal of banking trojans is to steal money and, where possible, attackers want to perform on-device fraud from afar and avoid fraud-monitoring alarms. The more automated bad actors can make this process, the easier it is for them to scale their operations.

Let’s go back to our list of malware repeat offenders we mentioned earlier and take a look at the fraudulent activities that two of them (Anatsa and Godfather) are designed to carry out:

Anatsa has the ability to steal login credentials (via overlay attacks, keylogging, or logging all accessibility events) with the goal of stealing money and intercepting SMS messages to bypass 2FA. It can also change input fields in banking apps via accessibility functionality to perform Device Takeover Fraud (DTO) and achieve remote access capabilities.

The Godfather trojan uses an overlay HTML phishing page to steal end users’ login credentials and can spy on SMS messages and steal OTP passwords in order to bypass 2FA. It can even open remote VNC sessions to act as the device owner, performing malicious transactions from the user’s device.

Hopefully the paragraphs above have convinced you of the scale of the mobile malware threat. 

The question is: what can be done about it?

At Licel, our anti-malware approach is two-pronged and involves both DexProtector (our app and SDK security solution for Android and iOS) and Alice (our threat intelligence platform). 

We mentioned earlier that Alice is constantly monitoring the threat landscape of our clients’ apps and SDKs. Part of its activity is all about discovering potential malware threats installed on end users’ devices. This is important because if one of their end users does have dangerous malware installed on their device, then there is clearly more scope for their application to be at risk (and for associated trust and reputational damage with that customer in the event of something going wrong). 

That’s why we don’t only monitor. The anti-malware module within the DexProtector Runtime Engine scans devices for malware and potentially harmful apps; if it finds something, then depending on the configuration it either closes the app or it reports the incident containing the data of its findings to the host app. We work closely with our clients to coordinate exactly what action is required. And with the latest Alice anti-malware updates, they can even configure their app protection behavior based on the category of malware that we’ve detected.  

We’ve implemented the functionalities above as we’re aware that increasing numbers of businesses and institutions are keen on implementing more proactive anti-malware measures. Earlier this month, mechanisms like those we’ve just described above were identified as a key priority by a group of Malaysian financial companies, for example.   

DexProtector also carries out more direct protection measures to mitigate the impact of dangerous banking trojans. Its UI protection functionality stops bad actors from exploiting Accessibility Services capabilities such as screen capturing. When an application has DexProtector’s UI protection implemented, attackers only see a black screen when they attempt to screen grab.