How to Protect Apps From Mobile Banking Security Threats
Watch our recent webinar to learn more.
Whilst we are used to hearing about big data breaches perpetrated against cloud systems, Mobile apps provide another, and often easer route in for attackers. Recent reports show that in Q2 of 2018 alone, 39% of all fraudulent transactions came from mobile apps. Compare that to only 5% three years before; that’s a 600% increase in attacks.
There’s also a significant increase in attacks based on malware, such as mobile banking trojans designed to steal credentials and money from customers’ bank accounts. According to a Lexis Nexis 2018 study, 46% of the fraud in financial services originates from mobile apps, and the recent record-breaking British Airways GDPR fine originating from a web and app attack.
Mobile Banking Security Threats
The breadth of attacks is also astounding; whether it’s sophisticated programming to find a hole in an application, or something simpler, malware is on the rise. Some of the most notable recent threats discovered by Lookout include:
- Bancmarstealer– first discovered by Lookout in 2015, this attack resurfaced in 2017, targeting over 60,000 financial institutions globally. Essentially, it’s an Android trojan that tricks the user into thinking that the malicious app is a legitimate banking application. It can also exploit the accessibility capabilities within Android to steal multi-factor authentication information.
- Deep attacks− these sophisticated attacks target the application logic. A recent example is the attack on WhatsApp where the code was modified. Once an attacker has breached the application code, they’re free to do almost anything within the context of the app – and for an app like WhatsApp that includes full data to microphone, camera, location, photos…
- Screen loggers and key loggers– these are more straightforward attacks that steal sensitive information from outside the target application. Such attacks have found a home in mobile apps, where they’ll sit on a phone and detect if there’s a banking app present. When the app is run, they’ll capture the information.
- Accessibility framework attacks− some attacks exploit the accessibility framework on devices. Attackers are weaponizing this, pretending to be the user to enter transactions and press buttons; for example, to disable a security feature.
- Overlay attacks− the attacker places a fraudulent window over a legitimate app on the device to gather user credentials, or to trick the user into disabling security settings to enable further attacks.
Perhaps the most frightening aspect of many of these attacks is how simple they are to instigate. The majority require no deep programming knowledge and malware toolkits make attacks frighteningly easy. It also means that no app – however small – is safe. There are numerous examples of malware toolkits that can be trivially repurposed by a “Script Kiddie” to retarget a new app.