Five Tips to Protect Mobile Banking Against Malware

The banks are under attack by the mobile malware again, and we can see that they are still very much unprepared for this type of threat. We are on a mission to make the digital banking secure, and therefore we are looking at this situation with a bit of a concern. It’s mainly because making the mobile banking safe against the current threats is something that is achievable with modest investments.

We want to share with you our five tips to make mobile banking resistant against the mobile malware. However, let’s recap first what happened and how the malware works.

Simple, Yet Effective Malware

How did the malware get on the user’s device?

Both mobile malware instances that caused trouble to the banks recently were installed from Google Play — the official marketplace. The apps initially did what they claimed to do. The last malware instance was published on Google Play for more than six months as a regular “call blocker” app. The apps were updated with a malware code (hidden behind a confusing name, such as “Google Service”) after gathering large enough user base. The last instance of malware gathered approximately 10,000 users.

How does the malware work?

The malware does not use any sophisticated low-level system hacks. It merely abused the “Accessibility” permissions available on the Android platform. While these APIs are useful for writing apps for people with limited abilities to use a smartphone (blind users, limited hand movement, …), they are dangerous in the wrong hands.

After granting the permissions, the malware can read the contents of all windows shown on display. This way, it can detect the launch of a mobile banking app and present a fake login UI in the right moment. Also, the malware can perform fake gestures and prevent a user from uninstalling the malware by automatically closing the Settings app.

Malware requests “accessibility” permissions to observe when a mobile banking app is stared and launches a fake banking login screen afterwards. It can also perform gestures and for example prevent malware uninstall by closing the Settings app.

Who reported the malware?

The malware was discovered by the security team from ESET anti-virus company, who reported the malware to all affected banks immediately. Great job! :-)

Five Tips to Stop The Malware

These are the five tips that banks can do to stop the mobile malware from causing any further damage.

1. Implement SCA Compliant 2FA for the Internet Banking

With a strong 2FA authentication, the bank customers are safe even if a malware steals their username and password. It is because whenever a malware tries to use the credentials to perform the payment, the customer will be made aware of such an event and can reject it instantly.

A Mobile token app is an example of such a security method.

With a Mobile token, the user can instantly see the payment details.

In case the payment is unexpected or contains wrong data, the user can immediately report the transaction to the bank’s security team.

2. Fortify Your Mobile Apps with RASP

The current mobile malware uses the accessibility features or a process monitoring to detect a launch of the mobile banking app and to present a fake login user interface just in the right moment.

Modern RASP (runtime application self-protection) solutions, such as Promon-powered App Shielding by Wultra, contain a whole spectre of security issue mitigants. Among others, they can stop the untrusted screen readers and cloak the process name of a running mobile banking app. As a result, mobile malware cannot see the mobile banking app and cannot perform its malicious activity.

App Shielding by Wultra adds a whole range of security hardening features. Protection from the fake screen readers is one of them.

3. Behavioural Authentication and Fraud Detection System

Even if an attacker steals the customer credentials, with the correct countermeasures in place, it must be able to enter these credentials in the banking systems correctly to be able to steal the money. In other words: The attacker must make the system believe that the right user entered the credentials and made the payment via the correct channel.

Behavioural authentication and fraud detection systems, such as the one by ThreatMark, can both recognise the correct user from a fraudster based on the deep behaviour scoring, and score the operation itself based on a various range of inputs, such as user’s location or attributes of the payment.

4. Work with the Anti-Virus Vendors to Detect Known Malware

Even if some malware manages to sneak behind the existing security measures, specific malware signatures can be black-listed, for example, based on the package name. Anti-virus vendors manage large databases of known security threats and malware. Their solutions will be able to identify a potential risk on your users’ devices.

In case your mobile banking app identifies there is a malicious app installed on the device, it can scream “Help” to the banking system to let the bank security team know about the issue and to automatically block the customer account to prevent any damage.

The least you can do in your app is to use Android’s own SafetyNet APIs to check for potentially harmful apps.

5. Educate Your Users

No security measures are complete without the active participation of the weakest link of the system: the end customer. Banks should prepare an easy to understand guidelines for the users explaining to them how to stay safe in the online environment.

Better yet, the local regulatory body that is responsible for the banking standards should do that. Here is an example of the “secure banking principles” website by the Czech Banking Association, hosted on a trusted domain https://www.bezpecnebanky.cz/.

We hope that you find our content helpful. In case you would like us to elaborate a bit more, do not hesitate to contact us.