Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
12/15/2015
01:45 PM
Vincent Weafer
Vincent Weafer
Partner Perspectives
50%
50%

Investigating Mobile Banking Attacks

Poor mobile app back-end security coding puts consumer information at risk.

Mobile apps are convenient and easy to use, but sometimes their developers do not put enough focus on the back end. Big Internet companies such as Amazon, Facebook, and Google provide back-end services for many apps with secure data storage and data management features, but it is up to the app developer to implement access to those services with security in mind.

Earlier this year, McAfee Labs joined Technische Universität Darmstadt and Fraunhofer SIT to explore the back-end exposure of 2 million mobile apps. This team found that mobile apps are often insecure, allowing unauthorized access to their associated cloud storage, including full names, email addresses, passwords, photos, financial transactions, and health records. This information could be used for identity theft, malware distribution, and financial fraud.

According to the November 2015 McAfee Labs Threats Report, some mobile app developers do not follow the documentation and security guidelines provided by the back-end services. Because most mobile apps have a secret key embedded in the app, one of the most important recommendations is to use a different channel for important data record manipulation from the basic app activity. Otherwise, someone with minimal technical knowledge can readily extract the key and read, update, or delete records.

Ironically, malware-carrying mobile apps also do not follow the security guidelines of the back-end services they use, enabling our researchers to investigate their malicious activities. The investigators analyzed 294,817 mobile malware apps and found 16 using poor security coding practices when connecting to the popular Facebook Parse back end. These were associated with two mobile banking Trojan families, Android/OpFake and Android/Marry. Facebook has been notified, and these accounts have been shut down.

The researchers decompiled and analyzed these Trojans to understand how they operate and what information they gather. After installing, typically from a malicious link in a text message purporting to be from a popular Russian instant-messaging app, the malware hides its icon and starts a service in the background to intercept SMS messages and send user information to its control server. Malware agents use the back-end service to queue and manage commands for each infected phone, waiting for SMS messages from banking apps that they could modify and reuse.

During June and July, just these two malware families intercepted almost 170,000 SMS messages, most of them personal, impacting the privacy of those infected. However, within these messages were a number of banking transactions such as querying credit card numbers, account balances, and making fund transfers. More than 20,000 commands were executed during this time, mostly for financial fraud.

By counting the number of unique device identifiers in the malware data store in the back-end service, the analysts determined that almost 40,000 users were affected by these two Trojans.

The take-away from this investigation is to be very careful with the mobile apps that you download onto your phone. Because it is difficult to know how secure a particular app’s back-end implementation is, McAfee Labs recommends that you stick with well-known apps with third-party security validation. Also, either avoid rooting your device or make sure to unroot it after using any necessary admin privileges, as the malware often abuses privileged access to silently install apps without consent.

For more information on mobile app vulnerabilities, please visit http://www.mcafee.com/November2015ThreatsReport.

Vincent Weafer is Senior Vice President of Intel Security, managing more than 350 researchers across 30 countries. He's also responsible for managing millions of sensors across the globe, all dedicated to protecting our customers from the latest cyber threats. Vincent's team ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gsatpathy
50%
50%
gsatpathy,
User Rank: Apprentice
1/17/2016 | 11:31:50 AM
How a novice user can protect himself?
A novice user understands that apps coming form the app store are secured enough.What such user can do to stay protected from such malicious programs that happen at backend?

A great article.
Readerof stuff
50%
50%
Readerof stuff,
User Rank: Apprentice
12/21/2015 | 8:01:40 PM
Re: Banks need to do better
TLS 1.3 details are provisional and incomplete; is in draft and not ready; TLS 1.3 has not seen significant security analysis to be of secure use.

 

https://tlswg.github.io/tls13-spec/
RyonKnight
0%
100%
RyonKnight,
User Rank: Strategist
12/16/2015 | 3:34:53 AM
Banks need to do better
Banks ought to be among the best at securing their apps and online services as there is so much money and reputational damage at risk.  Yet my bank still uses TLS 1.2 to secure customer logons.  I emailed them to ask about it and they refused to discuss it.  Currently moving my account elsewhere.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7753
PUBLISHED: 2020-10-27
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) [DNP] via trim().
CVE-2020-27182
PUBLISHED: 2020-10-27
Multiple cross-site scripting (XSS) vulnerabilities in konzept-ix publiXone before 2020.015 allow remote attackers to inject arbitrary JavaScript or HTML via appletError.jsp, job_jacket_detail.jsp, ixedit/editor_component.jsp, or the login form.
CVE-2020-27183
PUBLISHED: 2020-10-27
A RemoteFunctions endpoint with missing access control in konzept-ix publiXone before 2020.015 allows attackers to disclose sensitive user information, send arbitrary e-mails, escalate the privileges of arbitrary user accounts, and have unspecified other impact.
CVE-2020-8956
PUBLISHED: 2020-10-27
Pulse Secure Desktop Client 9.0Rx before 9.0R5 and 9.1Rx before 9.1R4 on Windows reveals users' passwords if Save Settings is enabled.
CVE-2020-15352
PUBLISHED: 2020-10-27
An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.