Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
12/15/2015
01:45 PM
Vincent Weafer
Vincent Weafer
Partner Perspectives
50%
50%

Investigating Mobile Banking Attacks

Poor mobile app back-end security coding puts consumer information at risk.

Mobile apps are convenient and easy to use, but sometimes their developers do not put enough focus on the back end. Big Internet companies such as Amazon, Facebook, and Google provide back-end services for many apps with secure data storage and data management features, but it is up to the app developer to implement access to those services with security in mind.

Earlier this year, McAfee Labs joined Technische Universität Darmstadt and Fraunhofer SIT to explore the back-end exposure of 2 million mobile apps. This team found that mobile apps are often insecure, allowing unauthorized access to their associated cloud storage, including full names, email addresses, passwords, photos, financial transactions, and health records. This information could be used for identity theft, malware distribution, and financial fraud.

According to the November 2015 McAfee Labs Threats Report, some mobile app developers do not follow the documentation and security guidelines provided by the back-end services. Because most mobile apps have a secret key embedded in the app, one of the most important recommendations is to use a different channel for important data record manipulation from the basic app activity. Otherwise, someone with minimal technical knowledge can readily extract the key and read, update, or delete records.

Ironically, malware-carrying mobile apps also do not follow the security guidelines of the back-end services they use, enabling our researchers to investigate their malicious activities. The investigators analyzed 294,817 mobile malware apps and found 16 using poor security coding practices when connecting to the popular Facebook Parse back end. These were associated with two mobile banking Trojan families, Android/OpFake and Android/Marry. Facebook has been notified, and these accounts have been shut down.

The researchers decompiled and analyzed these Trojans to understand how they operate and what information they gather. After installing, typically from a malicious link in a text message purporting to be from a popular Russian instant-messaging app, the malware hides its icon and starts a service in the background to intercept SMS messages and send user information to its control server. Malware agents use the back-end service to queue and manage commands for each infected phone, waiting for SMS messages from banking apps that they could modify and reuse.

During June and July, just these two malware families intercepted almost 170,000 SMS messages, most of them personal, impacting the privacy of those infected. However, within these messages were a number of banking transactions such as querying credit card numbers, account balances, and making fund transfers. More than 20,000 commands were executed during this time, mostly for financial fraud.

By counting the number of unique device identifiers in the malware data store in the back-end service, the analysts determined that almost 40,000 users were affected by these two Trojans.

The take-away from this investigation is to be very careful with the mobile apps that you download onto your phone. Because it is difficult to know how secure a particular app’s back-end implementation is, McAfee Labs recommends that you stick with well-known apps with third-party security validation. Also, either avoid rooting your device or make sure to unroot it after using any necessary admin privileges, as the malware often abuses privileged access to silently install apps without consent.

For more information on mobile app vulnerabilities, please visit http://www.mcafee.com/November2015ThreatsReport.

Vincent Weafer is Senior Vice President of Intel Security, managing more than 350 researchers across 30 countries. He's also responsible for managing millions of sensors across the globe, all dedicated to protecting our customers from the latest cyber threats. Vincent's team ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gsatpathy
50%
50%
gsatpathy,
User Rank: Apprentice
1/17/2016 | 11:31:50 AM
How a novice user can protect himself?
A novice user understands that apps coming form the app store are secured enough.What such user can do to stay protected from such malicious programs that happen at backend?

A great article.
Readerof stuff
50%
50%
Readerof stuff,
User Rank: Apprentice
12/21/2015 | 8:01:40 PM
Re: Banks need to do better
TLS 1.3 details are provisional and incomplete; is in draft and not ready; TLS 1.3 has not seen significant security analysis to be of secure use.

 

https://tlswg.github.io/tls13-spec/
RyonKnight
0%
100%
RyonKnight,
User Rank: Strategist
12/16/2015 | 3:34:53 AM
Banks need to do better
Banks ought to be among the best at securing their apps and online services as there is so much money and reputational damage at risk.  Yet my bank still uses TLS 1.2 to secure customer logons.  I emailed them to ask about it and they refused to discuss it.  Currently moving my account elsewhere.
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.