Skip to content

A Look at Mobile Banking Threats

With the number of smartphone users steadily increasing each year, the move toward mobile banking is only natural. Reports peg mobile banking users to be around 590 million worldwide, with an estimated 1 billion mobile bankers by 2017. But as mobile banking gains popularity, users should know about some security concerns.

The Issue of Spoofing

As with other app types, users may encounter Trojanized or fake apps disguised as legitimate banking apps. Cybercriminals will use different tricks to mimic legitimate apps. They can use the same images and icons or closely imitate the publisher’s name.

One example is FAKEBANK, a malware spotted in the second quarter of 2013. Once installed, it uses the Google Play icon to stay low-key. During installation, it replaces parts of legitimate banking app files with malicious code, but it does not modify their icons and user interface. Once users access these apps, they unwittingly give out their account information. Aside from this, FAKEBANK also steals call logs and received text messages.

Spoofed icon and user interface

Banking-related apps have also become a cybercriminal target. The FAKETOKEN malware mimics the token generator app of a financial institution. Users who wind up with this malicious app end up giving out their password to avoid receiving an error message. Once users enter their password, the malware generates a fake token and sends the stolen information to a specific number.

Error message on fake token generator

Spoofing isn’t limited to banking apps. Mobile phishing sites are another method of tricking users into divulging personal information. While phishing sites are still predominantly a PC threat, mobile phishing is fast becoming a formidable threat, both in growth and complexity. Our January to September 2013 data shows a 53% increase in the number of mobile phishing sites compared with data gathered during the same period last year. Financial institutions are the top targeted sites this third quarter.

Top mobile target sites

We found a mobile phishing attack that spoofs a bank’s mobile login page. While the phishing site has some similarities with the legitimate website, it noticeably lacks typical security elements like the padlock icon or the HTTPS:// protocol.

Comparison between legitimate (left) and phishing (right) sites

Aside from asking for login credentials, the fake site redirects users to other pages that ask for email addresses and scans of government-issued IDs. After these supposed requirements are sent, it provides a link that inevitably leads to a dead site.

Cybercriminals can use stolen email addresses to access bank accounts regardless of any change to login details. Meanwhile, the ID scans can be used for identity theft, fraud, and other scams.

Vulnerability and Legitimacy

While mobile vulnerabilities have been reported before, it’s only recently that we’ve seen a vulnerability play into mobile banking. The master key Android vulnerability allows cybercriminals to insert malicious code into installed legitimate apps. Almost all Android devices from Android 1.6 (Donut) onward are vulnerable.

Cybercriminals have taken advantage of this vulnerability to target mobile banking users, particularly customers of the South Korean financial institution, NH Nonghyup Bank. A downloadable update for the app was made available on third-party app sites. This update actually takes advantage of the master key Android vulnerability and inserts a malicious file, thus Trojanizing the app.

This attack shows that apps do not operate in a silo. Even legitimate apps can still become a threat if they work within a vulnerable environment.

Other Risks

Spoofed apps and phishing sites are not the only mobile banking threats. Text messages, one of the defining characteristics of the mobile platform, have also been used and abused for mobile banking attacks. Examples would be the ZITMO malware, first spotted in 2011, and the PERKEL malware, affecting Android users. These malware can monitor, send, and receive text messages undetected. Control over text messages allows cybercriminals to receive vital security information, particularly for multifactor and two-factor authentication. This gives cybercriminals easier access to online bank accounts.

Mobile users may also encounter smishing (SMS phishing) or vishing (voice phishing). While the techniques differ—smishing relies on text messages while vishing relies on voice calls—the end goal remains the same: steal information.

Threats can be simpler than users think. Losing a phone by accident or via theft can have dire consequences, especially if it isn’t secured with a PIN or pattern and its owner leaves his online banking account open in it.

Protection for Mobile Banking

Financial institutions should have a comprehensive strategy before offering mobile options to their customers. It’s not enough to create a mobile-ready sites or official apps. Such creations should be supplemented with continuous efforts to secure these options, be it through official app updates or site revamps.

Users should be given options for additional levels of security like multifactor authentication services or text message notifications. Clear policies and advisories should also be provided so that users are well-informed of the banks’ guidelines and activities about mobile banking.

Users may refer to our e-guide, “Securing Your Mobile Banking Experience,” for tips on keeping mobile banking sessions secure.

Connect with us on