Mobile banking and banking trojans

Florence Broderick    13 August, 2013
During 2012 there was an increase around 28% in mobile banking or M-Banking operations. Users can access their bank accounts from their mobile devices, mainly making use of a specifically created banking access applications. What benefits and problems bring us this new way of interacting with banks?
Specific applications for accessing banks accounts (downloaded mainly from official app stores like Apple Store or Google Play for the sake of security and availability) ease our access making it quicker and avoiding  in some way phishing attacks, that are more common in a “browser and link” environment.
But the use of this kind of applications involve other risks. Apps are supposed to be reviewed, tested and analyzed before making them available for users. Among other measures, Google Play uses “Bouncer”, an automatic system to dinamically analyze applications before making them public. Unfortunately it does not avoid this official shop hosting quite a lot of malware for these devices, hidden in legitimate applications as well as in applications which simulate belonging to real bank entities but only steals credentials. Apple Store implements a better protection, because of its policy being much more restrictive when allowing an application to be uploaded to the store.

So far, we have seen applications which simulate to be an official application, necessary to operate with a bank from a mobile device. These are usually offered from fraudulent repositories or from the official store (during a short time, until it is detected). But there are other ways. Although not too many cases of this kind has been detected, malware previously hosted in the device could try to steal information from the legitimate bank application. For infecting the device in first place, the user has to install an application that contains malware or that “is” malware, although it may come from an email attachment, or even an infected PC. Then, it would be enough to get keystrokes or network data sent by the legitimate application.

The guilty ones
Zeus (Zbot) malware with its multiple variants, is the most popular baking trojan. Programmed in C++ (and PHP for its “server” side) it was first seen during 2007 and supposed a real revolution in malware’s world, given its specialization and ability to obtain bank credentials while in Windows boxes. It has evolved during time, adapting and getting better to avoid new security systems.

Zeus could be purchased in black market for 2500-3000 €, providing a complete information arsenal for “learning to steal”. Aside, scammers may buy additional modules to improve funcionality or even use it as a service, renting infected botnets. In 2011 its source code was leaked, generating some other versions manteined by “the community”. SpyEye is a very popular banking trojan too, with quite a lot of plugins and advanced funcionality.
Zeus based malware is constantly improving, trying to make money selling the product. As an example, a new variant of banking malware “as a service” that showed up in 2013 is “KINS” (Kasper internet non security) developed from Zeus and adding SpyEye features.

Malware and phones

While security in online banking improves, integrating the cell phone as a second factor authentication, malware (specially Zeus and its variants) had to adapt and infect as well these devices. So, the term “MitMo” (Man in the mobile) was established for a kind of Zeus variant that tried to avoid online bank security by infecting smartphones as well and, obtaining in this way the SMS used for authentication. The user (with her PC already infected) is asked to download and execute an application for his smartphone. This malware for mobile devices has to work together with the trojan infecting the victim’s system. By themselves, they are not expected to specifically steal bank information while in the smartphone.

But new variants for Android have been spotted, specifically designed for stealing users from a particular bank. Alerted about a malware that, aside from stealing all kind of information from the smartphone itself, it is able to communicate via POST commands to a C&C server. But the most interesting feature is that it is specifically programmed to obtain the bank account balance for users registered with Sberbank Russian bank (sending a SMS to a free number available for their clients). It also intercepts every SMS and calls related to this bank. So this may be considered the first approach to a basic feature in PC banking trojans, that have been programmed long ago sepecifically for every bank.

At the moment, it has been only detected in Russia, cradle (among other Eastern countries) for most of the sophisticated banking trojans.
Antonio Bordón Villar

Leave a Reply

Your email address will not be published. Required fields are marked *