Partner Perspectives  Connecting marketers to our tech communities.
12/15/2015
01:45 PM
Vincent Weafer
Vincent Weafer
Partner Perspectives
50%
50%

Investigating Mobile Banking Attacks

Poor mobile app back-end security coding puts consumer information at risk.

Mobile apps are convenient and easy to use, but sometimes their developers do not put enough focus on the back end. Big Internet companies such as Amazon, Facebook, and Google provide back-end services for many apps with secure data storage and data management features, but it is up to the app developer to implement access to those services with security in mind.

Earlier this year, McAfee Labs joined Technische Universität Darmstadt and Fraunhofer SIT to explore the back-end exposure of 2 million mobile apps. This team found that mobile apps are often insecure, allowing unauthorized access to their associated cloud storage, including full names, email addresses, passwords, photos, financial transactions, and health records. This information could be used for identity theft, malware distribution, and financial fraud.

According to the November 2015 McAfee Labs Threats Report, some mobile app developers do not follow the documentation and security guidelines provided by the back-end services. Because most mobile apps have a secret key embedded in the app, one of the most important recommendations is to use a different channel for important data record manipulation from the basic app activity. Otherwise, someone with minimal technical knowledge can readily extract the key and read, update, or delete records.

Ironically, malware-carrying mobile apps also do not follow the security guidelines of the back-end services they use, enabling our researchers to investigate their malicious activities. The investigators analyzed 294,817 mobile malware apps and found 16 using poor security coding practices when connecting to the popular Facebook Parse back end. These were associated with two mobile banking Trojan families, Android/OpFake and Android/Marry. Facebook has been notified, and these accounts have been shut down.

The researchers decompiled and analyzed these Trojans to understand how they operate and what information they gather. After installing, typically from a malicious link in a text message purporting to be from a popular Russian instant-messaging app, the malware hides its icon and starts a service in the background to intercept SMS messages and send user information to its control server. Malware agents use the back-end service to queue and manage commands for each infected phone, waiting for SMS messages from banking apps that they could modify and reuse.

During June and July, just these two malware families intercepted almost 170,000 SMS messages, most of them personal, impacting the privacy of those infected. However, within these messages were a number of banking transactions such as querying credit card numbers, account balances, and making fund transfers. More than 20,000 commands were executed during this time, mostly for financial fraud.

By counting the number of unique device identifiers in the malware data store in the back-end service, the analysts determined that almost 40,000 users were affected by these two Trojans.

The take-away from this investigation is to be very careful with the mobile apps that you download onto your phone. Because it is difficult to know how secure a particular app’s back-end implementation is, McAfee Labs recommends that you stick with well-known apps with third-party security validation. Also, either avoid rooting your device or make sure to unroot it after using any necessary admin privileges, as the malware often abuses privileged access to silently install apps without consent.

For more information on mobile app vulnerabilities, please visit http://www.mcafee.com/November2015ThreatsReport.

Vincent Weafer is Senior Vice President of Intel Security, managing more than 350 researchers across 30 countries. He's also responsible for managing millions of sensors across the globe, all dedicated to protecting our customers from the latest cyber threats. Vincent's team ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gsatpathy
50%
50%
gsatpathy,
User Rank: Apprentice
1/17/2016 | 11:31:50 AM
How a novice user can protect himself?
A novice user understands that apps coming form the app store are secured enough.What such user can do to stay protected from such malicious programs that happen at backend?

A great article.
Readerof stuff
50%
50%
Readerof stuff,
User Rank: Apprentice
12/21/2015 | 8:01:40 PM
Re: Banks need to do better
TLS 1.3 details are provisional and incomplete; is in draft and not ready; TLS 1.3 has not seen significant security analysis to be of secure use.

 

https://tlswg.github.io/tls13-spec/
RyonKnight
0%
100%
RyonKnight,
User Rank: Strategist
12/16/2015 | 3:34:53 AM
Banks need to do better
Banks ought to be among the best at securing their apps and online services as there is so much money and reputational damage at risk.  Yet my bank still uses TLS 1.2 to secure customer logons.  I emailed them to ask about it and they refused to discuss it.  Currently moving my account elsewhere.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: It's a tough joob but someone has to test the links.
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.