Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Unraveling mobile banking malware, Check Point

Banking malware targeting mobile users requires little tech know-how to develop and operate, so it stands as a insistent battle for security professionals.

Banking malware campaigns siphon out financial data and hijack funds to the intruders' accounts – and all the various defenses put in place to thwart their efforts have proven inadequate, says a new post from the Check Point Mobile Research Team.

And now, the scourge is exacerbated with the use of an ever-expanding malware-as-a-service business model and open sourced code, the study found.

The simplicity of the tools and strategy is encouraging wannabe criminals to enter the fray. All it takes is malware that can detect a banking app on an infected device and then, once a user opens it, launch a phony overlay page. Once the unwitting device owner enters their credentials, the valuable data is sent directly to the attacker's server, the report explained.

After witnessing three major developments in the mobile banking malware arena in the past few months, the Check Point researchers joined with ElevenPaths, Telefónica Cyber Security Unit, and its Tacyt mobile cyber-intelligence tool to investigate further.

What they detected was that banking malware had managed to increase distribution by getting a foothold in Google Play, Google's official app store. The team also found that a number of banking variants sprung up subsequent to an open source malware being posted on a malware developer forum. As well, the team discovered new capabilities the malware was putting to use. The good news: the team was able to decipher the operation.

The major development here is that while in the past banker malware was spread mainly through third-party app stores or by phishing campaigns, embedding it within Google Play greatly enhances its spread – even though it now requires getting around Google defenses. To achieve this, the new breed of banking malware managed to obfuscate the malicious parts of its code, the report found.

"The main difference seen between the samples we've tested is the obfuscation techniques used, which refers to the way the attackers hide the malicious code by encrypting and encoding it,"  Daniel Padon, mobile threat researcher at Check Point, told SC Media on Wednesday. "There are dozens of encryption protocols and various practices in which they are implemented, resulting in endless paths to reach the same goal."

Since the code which conducts the malicious activity is all borrowed from the same source, it makes sense for the attackers to only hide it in a better way, he added.  

The Check Point team of researchers found a malware forum on which Maza-in, a known malware creator, detailed how to create and setup a banker malware. The discussion also provided source code of Android apps and the necessary backend (PHP and database). "This enables inexperienced malware developers to create not only a Command & Control system for Android, but a fully operational banking Trojan," the report stated. "All they have left to do is create a fake overlay page of the targeted bank and establish a Command & Control server."

The researchers gained access to a number of C&C servers where they detected 33 banking apps from France, Germany, Russia and Turkey. These apps are able to disable two-factor authentication, which is used by banks to authenticate users. So, the attackers are primed to defraud the banks, credit card companies and the people accessing them with their mobile devices.

Plus, the attackers' tactics have evolved with anti-virus detection, the study found. The latest malware checks for AV on a device. If it detects any of 13 different AV tools, to avoid detection it will not launch. However, the Check Point team found that despite being guarded by some of these AV tools, the malware was still present on some devices.

When asked what is so different about the delivery mechanism used in this banking malware, Padon said the main difference is that this time the malware managed to infiltrate Google Play in several separate instances, reaching a much larger audience than they could achieve otherwise. "This is worrying since unlike most malware found on Google Play, bankers are purely malicious and directly harm the unprotected users."

Further, hackers that manage to sneak their malware into Google Play are bound to be high-level coders, Padon pointed out. "This proves once again that users cannot rely on the official app stores for their safety, and must use additional protections, just as they do on their personal computers."  

The study concludes: "Mobile bankers are on the rise, managing to bypass the defenses created by the Android OS, banks, Google Play, and now even by common AVs." And, the tools are being used not only by script kiddies and more advanced threat actors, but by state actors, as evidenced by the leak of Vault 7, the report stated.

To avoid these ploys, Check Point advised users to implement advanced protections capable of dynamic analysis. This strategy detects and blocks malicious actions even when code is obfuscated, they said.

There also is a bit of good news for iPhone users. Padon told SC that Check Point has yet to detect any mobile banking malware hitting Apple's system. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.