Partner Perspectives  Connecting marketers to our tech communities.
12/15/2015
01:45 PM
Vincent Weafer
Vincent Weafer
Partner Perspectives
50%
50%

Investigating Mobile Banking Attacks

Poor mobile app back-end security coding puts consumer information at risk.

Mobile apps are convenient and easy to use, but sometimes their developers do not put enough focus on the back end. Big Internet companies such as Amazon, Facebook, and Google provide back-end services for many apps with secure data storage and data management features, but it is up to the app developer to implement access to those services with security in mind.

Earlier this year, McAfee Labs joined Technische Universität Darmstadt and Fraunhofer SIT to explore the back-end exposure of 2 million mobile apps. This team found that mobile apps are often insecure, allowing unauthorized access to their associated cloud storage, including full names, email addresses, passwords, photos, financial transactions, and health records. This information could be used for identity theft, malware distribution, and financial fraud.

According to the November 2015 McAfee Labs Threats Report, some mobile app developers do not follow the documentation and security guidelines provided by the back-end services. Because most mobile apps have a secret key embedded in the app, one of the most important recommendations is to use a different channel for important data record manipulation from the basic app activity. Otherwise, someone with minimal technical knowledge can readily extract the key and read, update, or delete records.

Ironically, malware-carrying mobile apps also do not follow the security guidelines of the back-end services they use, enabling our researchers to investigate their malicious activities. The investigators analyzed 294,817 mobile malware apps and found 16 using poor security coding practices when connecting to the popular Facebook Parse back end. These were associated with two mobile banking Trojan families, Android/OpFake and Android/Marry. Facebook has been notified, and these accounts have been shut down.

The researchers decompiled and analyzed these Trojans to understand how they operate and what information they gather. After installing, typically from a malicious link in a text message purporting to be from a popular Russian instant-messaging app, the malware hides its icon and starts a service in the background to intercept SMS messages and send user information to its control server. Malware agents use the back-end service to queue and manage commands for each infected phone, waiting for SMS messages from banking apps that they could modify and reuse.

During June and July, just these two malware families intercepted almost 170,000 SMS messages, most of them personal, impacting the privacy of those infected. However, within these messages were a number of banking transactions such as querying credit card numbers, account balances, and making fund transfers. More than 20,000 commands were executed during this time, mostly for financial fraud.

By counting the number of unique device identifiers in the malware data store in the back-end service, the analysts determined that almost 40,000 users were affected by these two Trojans.

The take-away from this investigation is to be very careful with the mobile apps that you download onto your phone. Because it is difficult to know how secure a particular app’s back-end implementation is, McAfee Labs recommends that you stick with well-known apps with third-party security validation. Also, either avoid rooting your device or make sure to unroot it after using any necessary admin privileges, as the malware often abuses privileged access to silently install apps without consent.

For more information on mobile app vulnerabilities, please visit http://www.mcafee.com/November2015ThreatsReport.

Vincent Weafer is Senior Vice President of Intel Security, managing more than 350 researchers across 30 countries. He's also responsible for managing millions of sensors across the globe, all dedicated to protecting our customers from the latest cyber threats. Vincent's team ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gsatpathy
50%
50%
gsatpathy,
User Rank: Apprentice
1/17/2016 | 11:31:50 AM
How a novice user can protect himself?
A novice user understands that apps coming form the app store are secured enough.What such user can do to stay protected from such malicious programs that happen at backend?

A great article.
Readerof stuff
50%
50%
Readerof stuff,
User Rank: Apprentice
12/21/2015 | 8:01:40 PM
Re: Banks need to do better
TLS 1.3 details are provisional and incomplete; is in draft and not ready; TLS 1.3 has not seen significant security analysis to be of secure use.

 

https://tlswg.github.io/tls13-spec/
RyonKnight
0%
100%
RyonKnight,
User Rank: Strategist
12/16/2015 | 3:34:53 AM
Banks need to do better
Banks ought to be among the best at securing their apps and online services as there is so much money and reputational damage at risk.  Yet my bank still uses TLS 1.2 to secure customer logons.  I emailed them to ask about it and they refused to discuss it.  Currently moving my account elsewhere.
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19333
PUBLISHED: 2018-11-17
pkg/sentry/kernel/shm/shm.go in Google gVisor before 2018-11-01 allows attackers to overwrite memory locations in processes running as root (but not escape the sandbox) via vectors involving IPC_RMID shmctl calls, because reference counting is mishandled.
CVE-2018-19340
PUBLISHED: 2018-11-17
Guriddo Form PHP 5.3 has XSS via the demos/jqform/defaultnodb/default.php OrderID, ShipName, ShipAddress, ShipCity, ShipPostalCode, ShipCountry, Freight, or details parameter.
CVE-2018-19327
PUBLISHED: 2018-11-17
An issue was discovered in JTBC(PHP) 3.0.1.7. aboutus/manage.php?type=action&action=add allows CSRF.
CVE-2018-19328
PUBLISHED: 2018-11-17
LAOBANCMS 2.0 allows install/mysql_hy.php?riqi=../ Directory Traversal.
CVE-2018-19329
PUBLISHED: 2018-11-17
GreenCMS v2.3.0603 allows remote authenticated administrators to delete arbitrary files by modifying a base64-encoded pathname in an m=admin&c=media&a=delfilehandle&id= call, related to the m=admin&c=media&a=restorefile delete button.