Over the past few years the way people interact with the Internet has changed.
In the past, the vast majority of people (over 80 percent) accessed the Internet using Windows desktop and laptop machines, with similar OSX devices taking a distant second spot.
But by the end of 2016, everything had changed. Android mobile devices overtook Windows desktops as the most common means of accessing the Internet.
Naturally, this trend hasn’t gone unnoticed.
As more and more people have switched to mobile devices to browse the web, and access social media, gaming, and banking/payment apps, threat actors have increasingly switched their focus away from desktop operating systems, and towards mobile.
And here’s the thing.
Remember back in the nineties, when the Internet was a new thing for most people? Nobody took desktop security seriously back then, and the same is now true of mobile security.
Modern mobile banking trojans routinely imitate legitimate, respected applications. Naturally, this can have a highly negative impact on the reputation and goodwill built up by legitimate organizations. View this on-demand webinar for examples of these threats and learn what organzations can do to fight back.
Mobile Malware: A Rundown
With the move to attacking a new set of platforms, you might expect to see a whole new range of threats. In reality, though, modern malware families aren’t so different from those we've come to know and hate.
Of course, there is room for some new functionality. Unlike traditional desktop machines, mobile devices are nearly always capable of sending and receiving SMS messages or phone calls, so many modern malware threats have evolved to take advantage of these additional functions.
Outside of this, however, the most prevalent threat types are very familiar:
Remote Access Trojans (RATs) - A very common attack vector, RATs typically provide attackers with access to nearly all device functions, including the ability to steal and send SMS messages, record and/or intercept phone calls, use the camera, install software, and exfiltrate sensitive data.
Examples include SpyNote, OmniRAT, and Dendroid.
Infostealers and Backdoors - Typically these grant attackers less access than RATs, but they do enable them to access data that’s useful for reconnaissance or other criminal activity. For example, this could include system and user data, or detection of vulnerable servers on networks to which the device is connected.
A common variant of infostealers are SMS stealers, which are almost exclusively used to intercept one-time password SMS messages used for two-factor authentication.
Examples include Dresscode/MilkyDoor, Triada, and SMS Thief.
Adware - Literally everybody has seen adware at one time or another. Typically, these trojans serve out-of-context advertisements on top of or within legitimate mobile applications. For the most part, these ads are simply used to generate ad revenue for the attacker, but they are also used to distribute malicious ads and additional app downloads, e.g., other trojans and/or botnet enrollment.
Examples include FalseGuide, HummingBad, and Loki.
Ransomware - As with desktop ransomware, mobile ransomware can be (and is) used either to lock infected devices, or to encrypt files and folders located on the device. Since most mobile users consider their files to be transient, and thus not worth paying a ransom to recover, locking ransomware is easily the most prevalent option when it comes to mobile ransomware. Once a device has been locked, the owner will be asked to pay a ransom in order to regain access.
Examples include Fusob/Adult Player, Reveton/Cyber.Police, Simplocker, and LockDroid.
And of course…
Banking Trojans - These trojans modify a user’s experience or intercept communications in order to steal data which can be used to commit financial fraud. Since these have exploded in popularity over the past few years, and pose a huge threat to mobile users, the rest of this article (and the next) will give a rundown on what banking trojans are, what they can do, and how you can avoid falling prey to them.
The Evolution of Banking Trojans
In essence, mobile banking trojans are an extension of mobile phishing and social engineering attacks. In the past, attackers would use simple social engineering campaigns to harvest credentials, and use them to directly access online banking accounts.
Over time, though, financial institutions have become wise to these types of attacks. And in an attempt to prevent fraudulent access, most now make use of two-factor authentication techniques to minimize the risk of financial fraud.
Of course, threat actors rarely give up so easily. Instead of searching for alternative targets, attackers instead developed SMS stealer applications and delivered them alongside their phishing attacks. Now, once they had successfully stolen a user’s credentials, they could also intercept two-factor authentication SMS messages, which are very commonly used by financial institutions, enabling them to once again gain direct access to their victims’ bank accounts.
But that’s just stage one.
Modern mobile banking trojans are highly advanced, and include a vast array of functionality which can be used for all sorts of malicious purposes. In fact, the term “banking trojan” has become something of a misnomer, as these trojans also routinely target social media companies, payment sites, retail businesses, and auction sites.
Making the situation even worse, source code leaks across many banking trojan families has made them freely available to anyone with an Internet connection, resulting in an exponential increase in the number of variants observed in the wild.
Unsurprisingly, with so many threat actors operating in the mobile banking trojan space, quite a range of delivery methods have been observed. With that said, there are a few that come up time and again.
SMS - This is the most logical delivery mechanism for mobile malware of any sort, simply because SMS messages are pretty much always opened on mobile devices. Sure, it’s technically possible to open them elsewhere, but it’s not exactly common practice. Also, since many mobile banking trojans are able to send SMS messages, they have often been observed to distribute further lures to victims’ contacts.
Email - Email is less attractive than SMS, purely because there is no guarantee of an email lure being opened on a mobile device. As a result, these attacks often incorporate additional social engineering techniques designed to convince victims to open them via their mobile.
App Stores - Distributing trojans via app stores is less common than you’d think, purely because it is surprisingly hard to get a malicious app into an official app store. Naturally it’s much easier to get them into third party app stores, but far fewer users visit these stores, and even those who do would need to change their device settings to allow applications from unknown sources.
Actors choosing to distribute their wares via app stores will also need to decide how their store URL will be shared. Once again, phishing campaigns seem the obvious choice, but taking this route often results in speedy detection and mitigation. Instead, many threat actors choose to allow users to come across their apps purely through searching the relevant app store, which results in substantially better longevity, but an even narrower opportunity for distribution.
Malicious Advertisements - These can be served via ad networks, which enable threat actors to choose which types of device the ad will be displayed to. Naturally this is a huge advantage, but several steps are still required for a successful infection, including the all important settings change.
Mobile Adware and Ad Pushers - Some mobile adware will show ads for other software (legitimate or not) which open them up for use as a distribution channel for trojans. Similarly, some offer rewards for installing apps, which adds an additional layer of social engineering to what can be a highly effective means of distribution.
Not Just a Pretty Face
Irrespective of how they are distributed, many malware apps (including banking trojans) are designed to imitate legitimate, well-known, and trusted apps. To that end, threat actors often design social engineering campaigns that correlate with the targeted app’s icon and distribution, and many malicious apps even include real functionality to further add to seeming legitimacy.
Over the years, Adobe Flash Player has been heavily imitated by malicious apps, despite having been unsupported since 2012. Other commonly imitated apps include adult video and image apps, banking apps, popular games, and system updates/utilities.
Take a look at the image below. This is a screenshot of a real banking trojan social engineering screen, which not only pretends to be for an important system update, but even goes as far as teaching the user how to alter their settings to allow installation of apps from unknown sources.
And when it comes to pure functionality, few types of malware are as sophisticated or multifaceted as mobile banking trojans. Over the years dozens of functions have been observed, but above all others two functions in particular are common to almost every mobile banking trojan: Credential theft, and SMS theft.
Credential theft can occur in several ways:
Overlays - Easily the most common form of credential theft, trojans with this functionality wait until a specific website or application is opened, and then overlay it with a phishing page designed to capture login credentials.
Redirection - In this case, the trojan waits until its victim navigates to a specific site, and then redirects their browser to an identical (malicious) page.
Key Logging/Form Grabbing - These trojans steal and exfiltrate data inputted by user into legitimate forms.
Web Injects - More complex than the previous examples, trojans with web injection functionality manipulate targeted pages to include additional elements that can steal data and forward it to an attacker.
Of course, as we’ve already explained, credential theft is only half of the puzzle. Once credentials have been successfully harvested, attackers still need to get around common two-factor authentication techniques.
That’s where SMS theft comes in. Once an attacker has attempted to login using stolen credentials, an SMS message will typically be sent to the compromised device. As this point, the SMS will be intercepted, forwarded to the attacker, and deleted before the victim has a chance to see it.
Permissions and What They Tell You
Naturally, in order to pull off all these steps, a whole series of app permissions are required.
When you install a new application, the permissions it requests can tell you a lot. For instance, if you’re installing a flashlight app and it asks for fifteen different permissions, something fishy is probably going on.
Of course, in the real world, things are rarely so easy to spot. While the permissions requested can tell you a lot about the intent of an app, they’re really just one part of the puzzle. A good clue, certainly, but not usually enough to know for sure you’re on the cusp of installing a mobile banking trojan.
Typically, a banking trojan will require most of the following permissions:
- Read contacts - Provides the trojan with access to a victim’s contact list
- Read SMS - Allows the application to read SMS messages stored in the SMS inbox
- Receive SMS - Intercepts SMS messages and prevents them from reaching the standard SMS inbox
- Write & Send SMS - Enables the trojan to send further lures to a victim’s contacts
- Internet - Used to communicate with C2 servers, or to download additional software
- Get tasks - Helps identify customers of targeted brands, or security (AV) software
- Receive boot completed - Enables the trojan to open on startup
In the next article, we’ll take an in depth look at two specific trojan families: Marcher and BankBot. We’ll cover exactly how they have evolved, what they do, who they target, and what individuals and organizations can do to protect themselves from the dangers of mobile banking trojans.
In the mean time, if you’re concerned about the impact of malicious apps imitating your brand, which can substantially damage the goodwill and reputation you have earned, check out our rogue mobile app protection service.