Mobile Malware Creating New Security Risks for Financial Institutions

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

Mobile malware is on the rise. It has become a major source of income for cybercriminals. In the 2018 Mobile Malware Evolution report, Kaspersky Labs recorded 116.5 million mobile attacks in 2018, compared to 66.4 million in 2017. They detected over 5 million malicious installation packages, over 150 thousand new mobile banking trojans, and over 60 thousand new mobile ransomware variants. Verizon's 2019 Mobile Security Index report stated that one-third of companies have suffered a compromise that involved mobile devices. While AV and Mobile vendors have some differences in their findings, the message is the same - As our digital lives become more mobile, the threat horizon for cybercriminals expands. By attacking the mobile platform, hackers are finding new and sophisticated ways to compromise the enterprise. Mobile malware will continue to evolve in the same way as other malware types have over the years. The 2018 McAfee Mobile Threat Report points out that one third of mobile malware is Hidden Apps. Hidden Apps can be distributed through trojanized applications hidden in games or customization tools. Cybercriminals take advantage of popular games like Fortnite, where users are enticed to install leaked add-ons or new beta versions through ad campaigns or YouTube videos. Proxy-based mobile malware is becoming more prevalent. More powerful mobile equipment enables the deployment of more sophisticated functionality such as socks proxy and network payload encryption. Mobile malware like the popular “TimpDoor” can be used for reconnaissance purposes, using the mobile phone as a springboard to gather information on servers and devices that are otherwise shielded from the open Internet. In 2018, new records were set for the number of mobile banking trojans and the number of victims. Much of this malware utilizes the Accessibility Service in mobile platforms. New versions of Android make it increasingly difficult to overlay phishing windows on top of banking applications. Instead, the Accessibility Service allows malware to nest in mobile device where the average user cannot remove them. Hackers also use Accessibility Service to hijack legitimate banking applications to make money transfers. The use of Droppers almost doubled in the last year. Droppers are smaller pieces of malware that generate a new hash each time they are installed to avoid detection. They install malicious software hidden under the hood. Droppers are easy to create, use, and sell on underground markets. The second half of 2018 saw a significant increase in banking trojans. Banking trojans are becoming more robust - adding functionality such as keylogging and other spyware tools. Cybercriminals continue to find new ways to bypass Google Security. For example, Dynamic Deception, in which the Application hosted on the PlayStore functions as advertised but can later dynamically download and decrypt malicious code, either after a set period of time, or after the base application has been installed and confirmed as running on an actual device outside of a sandbox. The increased power of mobile processors is driving growth in mobile crypto mining malware. Mining malware, typically slows a mobile device. It can even overheat the device and cause physical damage. Because crypto mining malware is noticeable, its victims will generally take measures to eliminate the infection. As a result, threat actors in this arena are deploying wider scale campaigns and enhancing anti-removal mechanisms. Banks globally are in a tough spot. Experts suggest that warnings to customers about unexpected pop-ups and overlays asking for sensitive information are essential, as are supplementary authentication techniques. Financial organizations in general may want to encourage customers to install additional layers of security software on their devices.