Droid Attacks Continue to Plague Banking Apps

Android users beware! The source code of the notorious banking malware Exobot has made its way onto several hacking forums—raising the possibility of a surge in malicious Android apps.

Over the last several months several banking Trojans targeting Android platforms have received media attention. One of these, called Marcher (aka Exobot), detected first in 2013, seems to especially active. This malware variant’s overlay attack even appears effective against Android 6, which has technical improvements compared to the previous Android versions to prevent such attacks.

The chief attack method is phishing using SMS/MMS. The communication contains a link to a bogus variety of trendy or well-visited apps.

The Marcher banking malware utilizes a couple of primary attack routes. One compromises out of band authentication for online financial institutions using SMS forwarding. The second scheme, the overlay attack, displays an adapted phishing window (seemingly identical to a login screen for a banking app) used to steal the victim’s banking credentials.

Frederik Mennes, senior manager market and security strategy, Security Competence Center at Oakbrook Terrace, Ill.-based security firm OneSpan, said: “The leakage of the source code of the Exobot mobile banking malware may cause an increase in overlay attacks, whereby malware on the user’s mobile device shows a window on top of the genuine mobile banking app that looks very similar to the genuine app. In this way the malware aims to trick the user into entering his credentials into the overlay window.”

To defend mobile banking apps against overlay attacks, Onespan recommends using two techniques, runtime application self-protection technology and multi-factor authentication functionality.

Mennes explained RASP, which is a term coined by Gartner, protects mobile apps against application-level intrusions, such as overlay attacks. “RASP solutions interfere with the banking Trojan’s process to create and display overlays. It is important that financial institutions choose a RASP solution that provides generic overlay protection.” This means the RASP solution should not provide protection against specific malware samples (e.g. the latest Exobot sample), but rather against multiple malware families, such as BankBot, Svpeng and Marcher.

Multi-factor authentication technology ensures banking credentials stolen via an overlay attack are of little value to a fraudster, Mennes added. “Apps protected in this way use two different authentication elements: something the user knows (e.g. the PIN), but also something the user has (such as a cryptographic key stored on the mobile device, which is used to generate one-time passwords).” While overlay attacks can target the knowledge factor, they cannot attack the possession factor to steal the cryptographic key.

North Olmsted, Ohio-based security firm Stealthcare also warned of Android devices under siege from a new wave of malware attacks in its latest cyberintelligence alert.

Jeremy Samide, Stealthcare CEO advised, “Android is an attractive target since it is the dominant operating system globally and many of its users run outdated versions on their smartphones, tablets and other devices.” At minimum, her recommends updating the OS to protect your devices from current and future variants.

Among the new droid attackers is HeroRAT. “This is a Remote Access Trojan that abuses the Telegram protocol so that hackers can gain command and control for data exfiltration. By using Telegram for C2 the hackers avoid detection because the traffic is between the user and trusted upload servers,” Samide said.

Stealthcare warned its clients, though the malware’s source code is publicly available, disreputable operators offer paid models, which include customer support. “HeroRAT works on all Android versions but requires the victim to accept permissions that include gaining administrator privileges. The hackers rely on various attack vectors including third-party applications, social media and messaging,” Samide said. “Protecting widely deployed operating systems like Android from hackers of all types is not an easy task but we have to take the gloves off and fight back.”

Additionally, the advanced battery saver app you downloadable from the Google Play Store contains functionality to steal information and silently click advertisements.

Through cyberintel sources, machine learning, tradecraft and other methods, Stealthcare traces malware during its early development to learn how soon it will be weaponized and deployed to those with ill intent.