Australian Banking Apps Under Threat From Cybercrime in Huge Malware Campaign

Posted April 15, 2016

Australian Banking Apps Under Threat From Cybercrime in Huge Malware Campaign

Cybercriminals continue to evolve their mobile malware attacks using increased sophistication and creativity to fool even the most careful individuals and well-secured banks.

As mobile adoption continues to grow, mobile apps are revolutionizing the way that users transact. Banking apps in particular allow people to check their balances and transactions daily, whenever and wherever they want. It’s a win-win situation – banks have a permanent presence on a device that is generally in close proximity to their customer, and customers have the freedom to access their accounts whenever they need to. But, is this truly a win-win?

A recent malware attack in Australia and New Zealand has highlighted the perils of assuming mobile apps are safe from the sinister lure of cybercriminals. This particular malware hides on infected devices waiting to pounce when the user opens the banking app. It then creates a fake login screen over the top of the real one to capture usernames and passwords.

cybercrime mobile banking appThis malware can also intercept two-factor authentication codes sent to the mobile device via SMS. This arms the hackers with all the information they need to take over the user’s bank account, and the crucial thing is, the bank may be none the wiser. They may simply see what appears to be a legitimate log in attempt, until the user notices the unusual withdrawals. By this time, it is probably too late.

The fraudsters or syndicates behind these malware attacks actually launch their cybercrime attacks similarly to the way a farmer sows his crop. The owner buys his malware seeds from the distributor, which he sows for harvest later in the year. The malware seed is sown across key target regions where it will achieve maximum download potential. The malware is usually distributed silently over time and can sit unseen inside online apps for up to 3-6 months, lying fallow in silent mode before being activated. It will not be detected by traditional anti-virus solutions as the malware is embedded in apps or other software. The malware is not active, nor doing anything other than maybe a random call out or update; nothing unusual for an app. Meanwhile the fraudster uses this time to get enough coverage and set up relevant mule accounts to launder the money through, all before the harvest begins.

When in active mode the cybercriminals who own the malware can harvest funds from banks by name, by region and therefore by brand, maintaining full control without detection.

It may seem like an insurmountable battle to tackle this kind of fraud, but actually the fraudster leaves a trail of evidence in the form of anomalies these threats give off prior to the attack. Banks could leverage this information to detect the difference between a legitimate customer and a potential cybercriminal. And in fact, this particular case is quite simple in comparison to some other attacks. Future attacks could prove much more sophisticated in their approach, and financial institutions must be properly prepared.

It’s not usually the app itself that is the problem. Banks need to be able to look holistically at the integrity of the app environment in order to detect possible cybercrime threats or compromises:

  • Firstly, the bank needs to be able to validate that their app is not being compromised by a third party application on the user’s device
  • Secondly, the bank must validate that there is not a compromised app running alongside the banks mobile app which could generate a fake site, phish for user’s second factor authentication details or collect key personal credentials which are simply siphoned off during the authentication process

ThreatMetrix addresses these issues and enables banks to manage the changing threat landscape while not compromising the mobile banking channel. Our digital identity solutions allow businesses to instantly detect the threat and mitigate against the attack without compromising the transaction or letting the fraud syndicate know you have detected them.

Ted Egan

Ted Egan

Vice President Asia Pacific Sales, ThreatMetrix

close btn