Banking customers are becoming more reliant on mobile channels for their financial needs. In fact, in 2020, 86.5% of Americans used a mobile device to check their bank balance, and this is only expected to increase. According to the same research, mobile-app fraud transactions have increased by over 600% since 2015, and about one in every 20 fraud attacks is associated with a rogue mobile app.
Recently, researchers observed additional evidence that mobile banking apps are an extremely enticing target for fraudsters. The researchers uncovered that bad actors adapted their techniques to find new ways around Google Play Store restrictions. Seemingly harmless "dropper" apps, small programs that facilitate the delivery and installation of malware remained dormant for months until they could slowly be updated with malicious code. Due to these attacks' slow-burning nature, simple antivirus scans would not identify the threat. Once ready, fraudsters would use the code to download apps without the user’s permission and ultimately download Android banking Trojans.
Though Google continues to update how it polices apps on its Play Store, financial institutions must expect mobile fraud campaigns to continue to evolve and slip through the net, despite Google's good intentions. It's crucial to understand that security is never a single point in time. However, the security hygiene of a user's device can change over time. In this case, before the dropper app downloaded the malicious payload, it's possible to assume the device was secure. So, let's look at exactly how these attacks occurred, what they did, and how banks can get ahead to mitigate similar future attacks on their customers.
Lessons Learned, From Apps to Accounts
Mobile applications consist of hundreds, if not thousands, of lines of code. Ultimately, Google Play automates a lot of the scans to detect malicious code for thousands of apps daily. We're now seeing that these apps being used to infiltrate app stores have some functionality and appear safe by misleading detection scans until cybercriminals deploy the attack.
Once malicious code has been uploaded, attackers can easily trick users by prompting them to download an update to the app from an unknown or third-party source.
The update enables cybercriminals to abuse accessibility settings, designed to simplify phone usage for people with disabilities, to automate mobile device functions for fraud. Some of these malicious applications have allowed fraudsters to abuse these settings to conduct overlay attacks and embed keyloggers so they can steal usernames and passwords or execute lines of code to steal personal data. To get ahead of these threats, it will mean organizations must be proactive regarding mobile app security. There's no single way to stop today's mobile threats. The best protection is a layered, defense-in-depth approach consisting of (but not limited to) strong customer authentication; client- and server-side risk analysis for fraud prevention; and in-app protection.
Mobile Security Requires Continuous Education, Updates
App store providers will continuously review their security procedures to make their platforms and devices more secure. But big tech companies have to deal with so many new apps and updates constantly that it's inevitable that many malicious apps may find their way into the stores.
For a long time, too, there has been a case to educate customers about the threats they face. Banks make noticeable efforts to warn customers about potential threats such as clicking suspicious links via SMS or email, or not downloading anything to their device from an untrusted source.
But, inevitably, someone will make a mistake as fraudsters use various techniques to gain a user's trust. With apps seeming completely harmless, it's all too easy for this to happen. By the time banks warn their customers about specific threats, the likelihood is that fraudsters are already evolving beyond those techniques, finding new ways to fool their unsuspecting victims.
Even with big tech companies proactively updating security requirements for their app stores and collectively educating customers, advanced security technologies are essential to filling the gap and mitigating potentially fraudulent activity – whether it's a known or unknown threat.
Assume an Unsafe Environment at All Times
Financial institutions have no control over what users do on their mobile devices outside their applications. So, the first step to securing mobile banking applications is to assume that apps are continuously operating in unsafe environments. Without this approach, security is implicitly being outsourced to big tech companies. However, customers will still expect their bank to protect the money in their accounts.
To mitigate these types of attacks, banking applications must deploy technology that can identify any malicious activity or interference with a mobile application before funds can be stolen, even when previously unseen threats have targeted customers. In-app protection is implemented within an app to make it more resilient against a variety of mobile threats such as repackaging, malware, script injection, cryptojacking, SMS grabbing, and more.
While we discuss fraudsters' present techniques to commit fraud, they're already planning and innovating for their next campaign. Over the next year, researchers will continue to document new threats and techniques, but mitigating the damage that these future threats can cause means implementing advanced technologies, capable of identifying and preventing new threats as they emerge.