By Kiran Khokhar, cybersecurity engineer, Trend Micro
Life is increasingly lived online. And the gateway to this digital world, for banking customers at least, is predominantly mobile. Banks have responded over recent years by pushing more of their services into mobile-friendly sites and applications, while internally large numbers of flexible workers access corporate systems from the comfort of their handhelds. But these trends have not gone unnoticed by financially motivated cyber-criminals and even nation state actors.
The mobile ecosystem therefore represents a double threat to the sector: in the growing volumes of banking trojans which can undermine customer confidence in online services, and cyber-espionage which could result in the theft of highly sensitive corporate information. Tackling both will require a multi-layered approach.
The new normal
Mobile cyber-threats have been openly discussed for years. But there is still a tendency to dismiss the latest discoveries of sophisticated malware and data theft as a fringe activity. That would be a mistake. Attracted by a growing market of mobile banking users, cyber-criminals are deploying a diverse range of techniques to make their attacks more effective. Trend Micro filters detected more than 220,000 mobile banking malware samples in 2019 alone, while cyber-espionage campaigns have soared by 1400% over the past four years.
Cybercrime gangs that may once have focused on desktop attacks are increasingly looking at mobile channels to make money. Why? Because user devices are typically less well protected, and third-party application stores provide a ready-made distribution channel for malware. Some mobile malware even finds its way onto the official Google Play Store, although the Apple App Store remains relatively well policed. There’s also a more covert and targeted threat from nation state attackers who may be on the hunt for sensitive corporate information to leverage.
Banking on money
Banking trojans have been around for years. These programs use a variety of techniques to steal user logins and provide access to funds, which the hackers either use themselves or sell on the cybercrime underground. Unfortunately, mobile versions of this malware category are getting increasingly sophisticated, and even branching out to steal more personal data than just logins.
The Anubis variant targeted more than 300 financial institutions worldwide using motion-based evasion techniques, even bypassing Google’s in-house filters to make its way onto the Google Play Store in early 2019. The malware is disguised as an innocent-looking app that tricks victims into sending their banking credentials, security codes, and credit card details through overlays spoofed to appear as if software updates, app markets, Flash Player and other apps. Another notable malware discovered last year, Cerberus, was promoted and sold on Twitter. Built from scratch it is designed to intercept and control the device’s SMS traffic, and harvests contacts.
Spying for profit
Mobile spyware presents a different kind of threat, as it’s most likely to cause serious financial and reputational damage if targeted against banking executives. Here too there’s a thriving market in malware designed to harvest sensitive information from the device including stored files, call logs, contact lists, browsing history, account logins, and geolocation. Some spyware can even be used to remotely activate the device camera and mic, which could be used to devastating effect during an important board meeting, for example.
Like banking trojans, spyware is usually hidden in legitimate-looking apps and smuggled onto Google Play, third-party app stores, or dedicated phishing sites. Victims are then lured into downloading the app via phishing emails or text messages. While iOS users can be fairly assured that any softwar on the App Store has been strictly vetted for malware, they’re not necessarily safe if they click through on one of these links. In extreme circumstances, spyware has even been observed executing without human interaction. It’s believed that this was the kind of mobile malware used by the Saudi Crown Prince Mohammed bin Salman to spy on Amazon’s Jeff Bezos. Banking CISOs should note that if the iPhone of the world’s richest man can be hacked, senior executives should be suitably prepared.
In fact, there’s a huge range of commercial spyware on the underground marketplace, disguised as everything from chat apps to Zoom downloaders. One variant, MobSTSPY was downloaded more than 100,000 times by users from 196 countries.
Time to be proactive
The long-term future for mobile threats is uncertain. But what we can say is that tools and techniques, once the preserve of a select few advanced threat groups or nation states, will eventually disseminate down to the cybercrime masses. This is bad news for financial institutions, and indeed high-profile organisations, everywhere.
On the one hand, security teams must offer help and guidance wherever possible to customers. Raising awareness of the dangers of mobile banking trojans and hammering home advice such as not to visit unofficial app stores or click on unsolicited emails/messages is a vital first step. Banks could even provide free AV software for customer devices. Security in these terms can be a differentiator for lenders, and an increasingly important one as Open Banking rules usher in a new generation of fintechs to the market.
This user training and awareness needs to extend to employees, to minimise the chances of spyware infection. Make sure they know how to spot phishing attempts with regular training exercises featuring real-world simulations. The next steps you take will depend on your organisation’s risk appetite. It may be that employees aren’t allowed to access corporate systems on anything but a work-sanctioned device. If that’s not the case then there will need to be drawn up strict policies around acceptable usage, and restrictions placed on downloads and which sites the user can visit. These can be enforced by mobile device management tools, which also ensure all devices are protected with AV from a reputable vendor and up-to-date with the latest software/OS versions. Two-factor authentication can further bolster security by reducing your reliance on easy-to-steal, guess or crack passwords.
Senior executives must be a part of this process: attackers know that these are the highest value targets, the ones with the most to lose and potentially the most likely to click through on malicious links. Finding a way to impress upon them the importance of good mobile cyber-hygiene will be a challenging but essential task.
If anything, the COVID-19 crisis will accelerate a shift towards home and remote working across the sector. If mobile is the new normal, it makes sense to focus on cybersecurity today to prepare for the threats of tomorrow.