ANDROID INJECTIONS ALREADY TARGETING JAPANESE BANKING APPS
November 14, 2017
The threats and attacks overwhelming the cyberspace have been keeping cybersecurity departments on their toes, and they should-
This time the online banking service apps are the ones that should be concerned, as the good old web injection method commonly used in MITB-class attacks is now targeting banking apps on Android.
This nightmare became a reality with the first man-in-the-browser (MITB) overlaying attack in 2013 where the mobile Trojan-SMS.AndroidOS.Svpeng,
a piece of malware, overlay other apps with its phishing window. This malicious app gained access to Russian bank accounts through a template page downloaded from a virulent server, to which the icon and the name of the attached application is added.
These windows appear to follow the banks’ branding, copyright and login displays, they trick the user into providing all of the information needed to access their accounts.
While this initial malware may have reached an end by evolving security measures, new Trojan dangers disguised as banking apps continue to surface around the globe.
In our continuous hunt for new attacks threatening our customer, we were able to identify a strong actor crafting and distributing Android injections for the Japanese banking apps market.
In a joint research with ClearSky, we were able to identify a strong actor crafting and distributing android injections for the Japanese banking app market:
Now, the first step in defending your organization from these attacks is to get to know them better.
What are these ‘mobile banking Trojans’ and how do they work?
As opposed to the web injection tools on computers, cybercriminals creating the mobile versions of the MITB attacks are using completely different technologies:
- Overlaying– when the malicious app opens the destination app (usually a banking one) and overlays it with:
- A special Trojan window
- A phishing web page located on a malicious server. This way, the cybercriminals can modify its contents any time they need to.
- A template page, downloaded from a malicious server, to which the icon and the name of the attacked application are added.
- Redirecting the user from the bank’s page to a phishing page. The Trojan subscribes to modify browser bookmarks, which includes changes in the currently open page. This way the Trojan knows which webpage is currently open, and if it happens to be one of the targeted pages, the Trojan opens the corresponding phishing page in the same browser and redirects the user there. It’s worth mentioning that this technology no longer works in Android 6 and later versions (Unuchek & Gorchakov, 2017).
However, if you thought newer versions of Android or better user’s attention to changing URLs could put an end to these attacks, you’ve got another thing coming – Cloak & Dagger
Why is the Cloak & Dagger technique so effective?
Because this new class of attacks allows a malicious app to take over the device without the user even noticing it, and it affects all versions of Android, including 7.1.2 (Fratantonio, 2017).
The malicious app requires only two permissions, while the user:
- Does not need to explicitly grant them (when installed from Google Play Store)
- Is not notified of them
- Is completely unaware of the attack
What can you do?
Our research (with ClearSky) suggests an attack targeting the Japanese banking app sector is inevitable, and it won’t take long until it affects others.
So, how can you prevent these attacks from happening? Here are a few general rules users should follow:
- Ensuring apps are only installed from Google’s Play Store, which screens and validates apps (and is mostly effective, though not always).
- Ensuring the app is installed from its legitimate and certified author.
- Never using untrusted apps downloaded from locations other than the app store.
- Keeping alert as to what information to share with such apps. For example, there’s no need for a banking app to know the user’s social media accounts, etc.
- Mobile banking malware often will request permission to access SMS — this is how they hijack one-time passwords sent by the bank’s system as part of two-factor authentication. Maintain utter caution with any app that asks for authorization to view these messages.
Votiro, along with ClearSky, will continue to monitor cyberspace in the hunt for new attacks and threats to our customers. Just remember, the ever-growing surge of smartphones and convenient apps will be a continued target for covert Trojan tactics, from banking to social media and instant messaging platforms reaching Russia, Japan and beyond. Stay vigilant!
Want to talk about securing your organization from the next threat?
Fratantonio, Y. a. (2017, May). Cloak & Dagger. Retrieved 11 12, 2017, from http://cloak-and-dagger.org/
Unuchek, R., & Gorchakov, D. (2017, January 18). Retrieved 11 12, 2017, from SECURELIST: https://securelist.com/do-web-injections-exist-for-android/77118/