The global pandemic and resulting quarantine in many countries has led to an increased reliance on technology for many daily tasks, which creates more opportunities for attackers, and the FBI is warning that mobile banking apps are among the top targets for attackers looking to take advantage of the situation.
Mobile banking trojans have been a highly profitable and diverse cottage industry for cybercrime groups for many years, right from the time that smartphones became widely available. At first they were rudimentary and relatively easy to spot, but as time has gone on and mobile banking has grown in popularity, the attackers have become much more creative and stealthy and the malicious apps have become increasingly difficult to identify. There are several different types of mobile banking attacks, and the most effective and popular ones are trojanized versions of legitimate apps or malicious apps that have the ability to throw fake login screens in front of a banking app to steal victims’ credentials.
These techniques are widely used and so they’re well understood by the research community and the teams that work to keep malware out of the app stores. However, they can still be quite effective, especially in the Android ecosystem where individuals can download apps from third-party app stores and providers directly. The quarantine in the United States and many other countries has meant that far fewer people are going to banks in person and are relying on mobile apps fpr more and more transactions, a situation that is highly attractive for attackers.
“With city, state, and local governments urging or mandating social distancing, Americans have become more willing to use mobile banking as an alternative to physically visiting branch locations. The FBI expects cyber actors to attempt to exploit new mobile banking customers using a variety of techniques, including app-based banking trojans and fake banking apps,” the FBI warning issued Wednesday says.
“The trojan creates a false version of the bank's login page and overlays it on top of the legitimate app."
One of the most effective and insidious techniques that attackers use in mobile banking attacks involves a screen overlay that obscures the legitimate login page of a banking app. In many cases, a seemingly benign app such as a game or a utility will be used to conceal malware that is designed to wait for the user to launch a target banking app. At that point, the malware will activate and create a login screen that is identical to the legitimate one the user expects to see.
“Cyber actors target banking information using banking trojans, which are malicious programs that disguise themselves as other apps, such as games or tools. When the user launches a legitimate banking app, it triggers the previously downloaded trojan that has been lying dormant on their device,” the FBI warning says.
“The trojan creates a false version of the bank's login page and overlays it on top of the legitimate app. Once the user enters their credentials into the false login page, the trojan passes the user to the real banking app login page so they do not realize they have been compromised.”
One of the best defenses against typical mobile banking attacks is to use two-factor authentication, which most major banks offer now. Strong 2FA can prevent many types of mobile banking attacks from succeeding, including the screen overlay and credential theft variants that are most common.