The Rise of Banking Trojans in Rogue Mobile Apps

Did you know that one in every 20 fraud attacks is associated with a rogue mobile app?

Zimperium released its annual Mobile Banking Heists Report, which highlights the continued evolution and success of mobile banking trojans around the globe. In particular, the research uncovered that 29 malware families targeted 1,800 banking applications across 61 countries last year. In comparison, last year’s report uncovered 10 prolific malware families targeting 600 banking apps. With the projected growth of the mobile banking market supposedly reaching $7 billion by 2032 alongside the rapid growth of both malware families and targets, mobile application protection should be something that is on everyone’s mind. As end users continue to be the easiest target, this vector of attack will only continue to see rapid growth.

Banking trojans continue to evolve and succeed due to their ability to persist, bypass security, and evade detection on mobile devices. As investment from fast-moving threat actors continues to increase, traditional security practices are unable to keep up.

The research also revealed that United States banking institutions remain by far the most targeted by financially motivated threat actors. There were 109 U.S. banks targeted by banking malware in 2023, compared to the next most targeted countries which were the U.K. (48 banking institutions) and Italy (44). Due to the United States’ presence in the Global Economy, the US will continue to be a target of bad actors both domestically and internationally.

RSA’s mobile banking statistics show that about one in every 20 fraud attacks is caused by a rogue mobile app. Fraudsters can upload a rogue app to one of the major app stores where they can count on unsuspecting users to download it.

While many app stores like Google Play claim to vet the applications that are allowed onto their stores, there are many dangerous ones that can — and do — slip through the cracks. Unfortunately, it can be challenging to tell whether an app comes from a reputable vendor or if it’s a cleverly disguised piece of malware.

Other key findings highlighting the real threat of mobile banking malware found in Zimperium’s report include:

• Traditional banking applications remain the prime target, with a staggering 1,103 compromised apps —accounting for 61% of the 1800 targets—while the emerging FinTech and Trading apps make up the remaining 39%.
• Hook, Godfather, and Teabot are the top banking malware families, measured by the number of banks targeted.
• The 19 malware families from last year’s report have evolved with new capabilities, and 10 new families have been identified as a threat in 2023.
• New capabilities observed within banking malware this year include:
  • Automated Transfer System (ATS): A technique that facilitates unauthorized transfers of money.
  • Telephone-based Attack Delivery (TOAD): Involves a follow-up call to gain trust and download more malware.
  • Screen Sharing: Being able to remotely control a victim’s device without having physical access to it.
  • Malware-as-a-Service (MaaS): An online business model offering malware creation tools for rent or sale, facilitating easy execution of cyberattacks.

Zimperium 2023 Mobile Banking Report

From 2022 to 2023, Banking trojans as a category have seen significant growth in both sophistication and adaptation of new techniques. A few of the most notable ones from the past year include the following:

1. Intercepting Notifications: Undermines secure notification systems, requiring secure channels for alerts.
2. Bypassing One-Time Passwords: Weakens the effectiveness of Multi-Factor Authentication (MFA).
3. Making Code Open Source: Accelerates malware evolution, making signature-based anti-malware solutions less effective.
4. Leveraging Automated Transfer System (ATS): The ability to perform unauthorized transactions with little to no user interaction.
5. Detecting & Evading Emulators: Challenges automated malware analysis systems and basic mobile security Software Development Kits (SDKs), requiring more advanced threat detection capabilities.
6. Using Domain Generation Algorithms (DGA): Makes deny listing domains ineffective, requiring advanced Domain Name System (DNS) filtering solutions.

Protecting Apps from Malware

To combat the rising threat of banking malwares, enterprises should:

• Ensure protection matches threat sophistication: For organizations that develop their own applications, you should implement advanced code protection techniques. This may help elevate an organization’s security posture to a point where the cost and effort of attacking an application outweigh the potential gains for the attacker. A few of the techniques that can be utilized are:
  • Prevent the use of insecure source code by performing Static Application Security Testing
  • Create a source code protection policy in order to help protect against threats such as reverse engineering and code tampering.
• Implement runtime visibility for comprehensive threat monitoring and modeling: Enable runtime visibility across various threat vectors, including device, network, application, and phishing. This real-time insight allows for active identification and reporting of risks, threats, and attacks.
• Deploy on-device protection for real-time threat response: It is important to encourage customers to utilize on-device protection mechanisms that enable apps to take immediate actions upon threat detection. While Windows, macOS, Android, and iOS all include protection against malware, it is important to consider adding an additional AV solution that has the ability to act autonomously against any potential threat.
• Inform customers of this threat vector: By informing and educating friends, family, and customers of the potential threat of banking trojans from both phishing and rogue apps from app stores, we can help build awareness and work on preventing them from becoming the next victim.

DefenseStorm Recommendations

• Educate users about the risks of QR code phishing emails
• Continued internal training for phishing campaigns
• Keep all systems and software updated to the latest patched versions to best protect against all known security vulnerabilities
• Maintain a strong password policy
• Enable multi-factor authentication
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location