Evolving attacks on mobile apps

OneSpan

By Raltisa Miteva, manager digital identity and mobile security
Wednesday, 09 March, 2022


Evolving attacks on mobile apps

Banking customers are becoming more reliant on mobile channels for their financial needs. According to data in the Forrester State of Digital Banking 2022 report, 42% of Australian online adults say they use their bank’s mobile app to do their banking. Last year, the Australian Competition & Consumer Commission (ACCC) reported a significant increase in losses to phishing scams (261%), remote access scams (144%) and identity theft (234%). It’s a lucrative channel for cybercriminals, which will not change in 2022.

Recently, researchers observed additional evidence that mobile banking apps are an extremely enticing target for fraudsters. The researchers uncovered that bad actors adapted their techniques to find new ways around Google Play Store restrictions. Seemingly harmless ‘dropper’ apps remained not dangerous for months until they could slowly be updated with malicious code. Due to the slow-burning nature of these attacks, simple antivirus scans would not identify the threat. Once ready, fraudsters would use the code to download apps without the user’s permission and ultimately download Android banking trojans.

As we move through 2022 and Google continues to update how it polices apps on its Play Store, financial institutions (FIs) must expect mobile fraud campaigns to continue to evolve and slip through the net despite Google’s good intentions.

It’s crucial to understand that security is never a point in time. However, the security hygiene of a user’s device can change over time. In this case, before the dropper app downloaded the malicious payload, it’s possible to assume the device was secure. So, let’s look at exactly how these attacks occurred, what they did and how banks can get ahead to mitigate similar future attacks on their customers.

Lessons to be learned — from mobile to bank accounts

Mobile applications are created through hundreds — if not thousands — of lines of code. So, ultimately, Google Play automates a lot of the scans to detect malicious code for thousands of apps daily. We’re now seeing that these apps being used to infiltrate app stores have some functionality and appear safe by misleading detection scans until cybercriminals deploy the attack.

Once malicious code has been uploaded, attackers can easily trick users by prompting them to download an update to the app from an unknown or third-party source.

The update enables cybercriminals to abuse accessibility settings — designed to simplify phone usage for people with disabilities — to automate mobile device functions for fraud. Some of these malicious applications have allowed fraudsters to abuse these settings to conduct overlay attacks and embed keyloggers so they can steal usernames and passwords or execute lines of code to steal personal data. To get ahead of these threats, it’ll mean different sectors need to be proactive regarding mobile app security.

Security as a partnership

Google and the other app store providers will continuously review their security procedures to make their platforms and devices more secure. But big tech companies like Google have to deal with so many new apps and updates constantly that it’s inevitable that many malicious apps may find their way onto the store.

For a long time, too, there has been a case to educate customers about the threats they face. Banks make noticeable efforts to warn customers about potential threats like clicking suspicious links via SMS or email or not downloading anything to their device from an untrusted source.

But the truth is, inevitably, someone will make a mistake as fraudsters use various techniques to gain a user’s trust. With apps seeming completely harmless, it’s all too easy for precisely this to happen. By the time banks warn their customers about specific threats, the likelihood is that fraudsters are already evolving beyond those techniques, finding new ways to fool their unsuspecting victims.

Even with big tech companies proactively updating security requirements for their app stores and collectively educating customers, advanced security technologies are essential to filling the gap and mitigating potentially fraudulent activity — whether it’s a known or unknown threat.

Security assurance even in unsafe environments

Banks and FIs have no control over what their users do on their mobile devices outside their applications. So, the first step to securing mobile banking applications is to assume that apps are continuously operating in unsafe environments. Without this approach, security is implicitly being outsourced to big tech companies. However, customers will still expect their bank to protect the money in their accounts.

To mitigate these types of attacks, banking applications must deploy technology that can identify any malicious activity or interference with a mobile application before funds can be stolen — even when previously unseen threats have targeted customers. App shielding combined with strong customer authentication can mitigate password theft and ensure the integrity of an app’s runtime environment to detect malicious interference with the app and shut it down, even on infected devices.

App shielding ensures strong security against unknown threats on untrusted devices, but the security mechanisms they rely on have little to no impact on the user experience.

When discussing fraudsters’ latest techniques to commit fraud, they’re already planning and innovating for their next campaign. Over the next year, researchers will continue to document new threats and techniques, but mitigating the damage that these future threats can cause means implementing advanced technologies — capable of identifying and preventing new threats as and when they emerge.

Image credit: ©stock.adobe.com/au/georgejmclittle

Related Articles

Nation-state actors have their sights on the cloud

Prioritising the protection of credentials and adopting robust security measures can better...

Combating financial crime with AI

Rapid digital transformation across Australia and New Zealand has provided cybercriminals with...

Learning from the LockBit takedown

An international taskforce has seized the darknet sites run by LockBit, but relying on law...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd