Bank customer being compromised by mobile malware and on-device fraud attack

Many of us are glued to our phones and devices these days. Unfortunately, if we’re not careful, fraudsters will attach themselves to our personal devices too — without ever being detected. Fraudsters use malware to infiltrate mobile devices and conduct unauthorized activity - including on-device fraud (ODF) attacks. Embracing a full digital trust strategy is critical for banks and financial institutions to stop mobile malware and on-device fraud and protect their customers’ journeys.

Assessing the Mobile Malware Threat Landscape

Criminals turn to mobile malware and on-device fraud for two key reasons. First, mobile malware is easy to distribute. In many cases, criminals upload a trojan dropper to a legitimate application marketplace. Believing they are legitimate, unsuspecting consumers download apps from an app store and install the malware on their devices. Some mobile threats can distribute their attacks to a victim’s address book.

Second, they want to repeat their successes. If a mobile threat is successful in one region, fraudsters will escalate their efforts to cover more targets. That’s why many malware campaigns are initially tested in more mature financial markets like the UK and EU. Fraudsters realize if their campaigns are successful in these markets, they will be successful in other regions.

Malware threats take many different forms and  tactics and they frequently target Android users. Recently, some of the most common banking trojans target cryptocurrency wallets, access two-factor authentication (2FA) codes from Google and other authenticators, banking signature apps, use keyloggers to record keystrokes, and impersonate text and SMS messaging apps.

5 Critical Mobile Malware and On-device Fraud Threats

Here’s how mobile malware and ODF threats have evolved in recent years.

  • SMS Stealer. SMS Stealers are among the earliest types of banking trojans  developed to steal information from a compromised device. Once installed, the malware steals SMS or text messages and sends it to a server controlled by the criminal. This tactic enables bad actors to commit account takeover (ATO) attacks by accessing two-factor authentication (2FA) codes and other sensitive information. 
  • Screen Overlay Attacks. These programs work much like a phishing campaign. Once installed, a fake app or a trojan banker launches a mobile phishing browser to overlay the mobile banking app when a victim uses it. Victims submit their real banking credentials believing it’s a portal for their real mobile banking app. The program relays the victim’s banking information to a central server, enabling fraudsters to commit more ATO attacks.
  • Remote Access Tools and Trojans (RATs). Remote access tools and trojans (RATs) start to bridge the line between ATOs and on-device fraud. Once installed, RATs either hijack a user’s banking session or take control of the entire device remotely.
  • Semi ATS Attacks. Automatic transfer service (ATS) attacks are full-blown ODF attacks because they go beyond infiltrating or accessing a victim’s device. Instead, they can take greater control of the infected device to execute fraudulent transactions. In the case of semi ATS attacks, fraudsters remotely execute commands to infected devices (e.g., send and execute commands to selected mule accounts). While they have the ability to execute commands remotely, they still need the victim to manually grant certain device permissions, such as accessing their banking app.
  • Full ATS Attacks. This is a more severe ODF attack. Full ATS attacks don’t require a final manual intervention from victims. Instead, everything can be performed automatically, including the mule account selection, 2FA bypass, and the transaction execution. This type of account is so sophisticated that it can even alter a device’s biometric information, bypassing behavioral anomaly detection. The malware can convince a device that it is being held by a human,  even though the device is resting on the owner’s nightstand.

3 Pillars of Digital Trust to Curb Mobile Malware and On-device Fraud Attacks

Given the range of malicious malware and ODF attack types, banks have to ensure they implement the right protections for each threat. A digital trust approach enables financial institutions to tackle each stage of a malicious malware and ODF attack without disrupting the customer experience. 

A full digital trust fraud prevention solution is built on three core pillars. These pillars include:

Full device assessment

Profiling the unique features of a device is a core component of building a digital trust fraud prevention strategy. This step involves identifying whether a device is new, whether the user has owned it for some time, or if it’s associated with any known fraud campaigns. It should also look at whether the device connects to the internet using a familiar network or a familiar, trustworthy environment. 

Malware analysis

This digital trust pillar looks at the device’s vulnerability to a variety of malware campaign attacks, including whether a device has been infected with banker trojans in a web or a mobile environment. It will also review for common mobile malware threats including SMS stealers, screen overlays, man in the middle attacks, and more. 

Behavioral biometrics

Implementing behavioral biometrics is a core component of digital trust. Using behavioral biometrics, banks and FIs assess how a user normally holds their device, how they touch their screen, and even the angle at which they usually hold their phone. This understanding is critical for banks to have confidence that it’s their customer performing the transaction. 

A financial institution’s digital trust strategy must embrace all three of these pillars to be successful. If one component is missing or incomplete, fraudsters will work around it. For example, a bank might implement only behavioral biometric solutions to monitor how customers normally handle their devices. But then fraudsters use malware and ODF attacks to alter a device’s biometric information. Without device assessments and malware analysis, the fraudsters can change a device’s profile and bypass biometric controls and mobile security.

We need our smartphones for entertainment, information, and, of course, to stay on top of our finances. But we don’t want fraudsters to have the same easy access to our financial data. Putting digital trust at the center of digital banking is a significant step in preventing online banking fraud and keeping consumers’ banking transactions secure.

Download our Oscorp Threat Report: Cryptocurrency Theft Malware threat report to learn how this banking trojan malware steals the owner’s banking credentials and even targets cryptocurrency assets.