September 30, 2015

Banking Trojans: mobile’s major cyberthreat

Android Malware Security

We are still in the midst of the smartphone boom. Over the past couple of years, over 50% of all mobile devices used by consumers are smartphones. In turn, this leads to a major problem: mobile cyberthreats. Whereas PC users are already used to at least basic “security hygiene,” the majority of smartphone users still consider their device ‘just a phone,’ which is in the same league as an iron or a washing machine – so why bother?

android-banking-trojans-FB

Today’s smartphone is a full-fledged computer, which is much more powerful than the one you used to own 10 years ago. And it’s a dangerous computer. Where your PC’s hard drive might not contain anything of value, apart from a couple of research papers from your college years and a pile of photos from your recent vacation, your smartphone is very likely to contain data, which is valuable both for you and the cyber-criminals.

If you happen to have a smartphone, it’s quite likely you also have a bankcard. Since banks use mobile phone number for authorization (they send one-time passwords over SMS), so it makes total sense for cybercriminals to penetrate this channel of communication and execute payments and transfers from your bank account.

With that said, it is no wonder banking Trojans are the most prominent mobile threats: they constitute over 95% of mobile malware. Over 98% of mobile banking attacks target Android devices, which also comes as no surprise. Android is the most popular mobile platform in the world (over 80% of global smartphone market), and of all popular mobile platforms only Android allows to side-load software.

Although Trojans are less dangerous than viruses, since they require user actions to infiltrate the systems, there are a number of efficient social engineering techniques, which lure a user to set up the Trojan mimicking, say, an important update or a bonus level for your favorite mobile game. Also, abundant exploits are able to run the malware automatically, once a user accidently executes the malicious file.

There are three major methods banker Trojans employ:

Hiding the Text: Malware on phones hides incoming SMS from banks and then sends them to criminals who then transfer money to their accounts.

Minor Cash Movements: Malware actoers occasionally transfer relevantly modest sums of money to fraudulent accounts from an infected user’s account.

App Mirroring: Malware mimics banks’ mobile apps and, upon getting user credentials to login into the real app, does the two actions above

The major banking Trojans (over 50%) target Russia and CIS countries as well as India and Vietnam. Lately, new generation of universal mobile malware is on the rise. This group is able to download updated profiles of different foreign banks from US, Germany and UK.

The grandpa of all mobile banking Trojans is Zeus, a.k.a. Zitmo (Zeus-in-the-mobile), which emerged back in 2010 (its ancestor for PC, also named Zeus, was created in 2006). This piece of malware managed to infect over 3.5 million devices in US alone, and create the history’s largest botnet.

This is a classic hijacker, which saves login credentials a user inputs into the m-bank interface and sends them to a criminal who then is able to log into the system using the hijacked credentials and execute rogue transactions (Zitmo was even able to bypass two-factor authentification).

Moreover, thanks to Zeus, scammers managed to get away with over 74,000 FTP passwords from various websites (including Bank of America), altering their code so that it would be possible to extract credit card data after each payment attempt. Zeus was very active until late 2013 when it started to be pushed out by the more up-to-date Xtreme RAT, however, the Trojan’s kernel is still en vogue among malware engineers.

2011 saw the emergence of SpyEye; it was one of the most successful banker Trojans in history. Its creator Alexander Panin, sold the code on the black market for prices ranging from $1,000 to $8,500. According to the FBI who deanonymized the creator of SpyEye, the number of buyers, who modified the Trojan to steal money from various banks, totaled 150. One of the scammers managed to steal over $3.2 million in just six months.

In 2012 another species was found – Carberp. This component mimicked Android apps of major Russian banks, Sberbank and Alfa Bank, and targeted their users in Russia, Belarus, Kazakhstan, Moldova and Ukraine. Curiously, the culprits were able to publish fake apps on Google Play.

The cybercriminal group consisting of 28 members was arrested during the joint Russian-Ukrainian operation. However, Carberp’s source code was published in 2013, so anyone could use it to produce their own malware. While the original Carberp was essentially created for former Soviet Union countries, its clones have been found all around the world, including US and countries in Europe and Latin America.

In 2013 Hesperbot started to claim its victims. The malware originated in Turkey, and spread globally through Portugal and Czech Republic. Besides causing usual troubles, this Trojan creates a hidden VNC server on a smartphone, which grants an attacker access to remote device management.

Even after the Trojan is gone, the remote access remains and allows attackers to hijack all messages as if the device were in their hands, consequently offering another opportunity to install malware. Moreover, Hesperbot acted not only as a banking Trojan, but also as a bitcoin snatcher. Hesperbot is distributed via phishing campaigns impersonating email services.

Back in 2014 the source code of Android.iBanking was revealed. iBanking is an end-to-end kit for SMS hi-jacking and remote device management, priced at as much as $5000. The publication of the code resulted in surge of infections.

The kit includes malicious code which replaces a legitimate banking app (the original app remains fully functional yet is modified to include a wider range of features) and a Windows program with a convenient GUI which allows to control all affected smartphones from the list which is automatically updated to include new victims.

It’s fascinating that, albeit the availability of a free version of the malware platform, a premium version of the kit is far more popular. Premium users are provided with regular product updates and customer support. By the end of that year two more Trojans were discovered on Google Play and were intended for Brazil and were created without any special programming skill – based purely on the available universal kit.

When it comes to banking attacks, Brazil is a special geography. It can be explained by the popularity of the Boleto mobile payment system. It enables one user to transfer money to another user via virtual checks containing a unique payment ID, which is transformed into a bar code on the display and then scanned by the recipient’s camera-enabled phone.

Special Trojans targeting Boleto users (the likes of Infostealer.Boleteiro), hijack generated checks just as soon as they land on the browser and immediately modify them ‘on-the-fly’ to be sent to the attacker.

Besides, the Trojan monitors the ID input in the Boleto system on websites and banking apps (during the account replenishment in the system) and clandestinely swaps legitimate ID with rogue IDs.

In June 2015, a new Trojan was discovered in Russia; Android.Bankbot.65.Origin was disguised as the patched official Sberbank Online app and offered ‘wider range of m-banking features’, available after the installation of the ‘newer version’.

In fact, the app indeed remained a functional m-banking tool, so users did not notice the swap. Consequently, in July 100,000 Sberbank users reported a loss of over 2 billion rubles. All of them used the rogue “Sberbank Online” app.

It goes without saying the history of banking Trojans is still being written: more and more new apps are created, and more and more efficient techniques attackers user to lure users into their trap. So, it is about time you protected your smartphone properly.