Banks Take Precautionary Measures Against App MalwareMalware Has Targeted 232 Applications
Banks in India are alerting customers to take steps to guard against becoming a victim of Android malware that's targeting 232 applications, including banking and cryptocurrency apps, paving the way for potential thefts from their accounts. They're also advising customers to avoid downloading apps from third-party app stores or links provided in SMSs and emails to keep their credentials safe.
The Android malware is targeting 232 applications, including banking and cryptocurrency apps, according to Quick Heal, an anti-virus firm. The company alleges that State Bank of India, Union Bank of India, HDFC, and ICICI are among the institutions affected; it says cryptocurrency apps and ecommerce apps, including Amazon were also affected.
ISMG reached out to several of the affected major banks to confirm the impact of the malware and did not receive any response.
So far, however, no case of theft of funds tied to the malware has been reported, although some credentials have been breached.
The Trojan, known as 'Android.banker.A2f8a' is being distributed through a fake Flash Player app on third-party stores, according to QuickHeal. It's designed to steal login credentials, hijacking SMSs, uploading contact lists on a malicious server. The malware has also been detected earlier as Android.banker.A9480, says QuickHeal in its blog.
"The Trojan is designed to spy on a person and can be used to compromise two-factor authentication systems, which include banking transactions, social media account reset, email account reset," says Pavan Kushwaha, founder and CEO at Noida-based Kratikal Tech, a cybersecurity company providing end to end solution. "By extension of the same, it can lead to large-scale hacks of an entire organization."
How Banks Reacted
Ratan Jyoti, CISO at Ujjivan Bank, says he immediately took action when he received alerts from Quick Heal as well as CERT-In. "Most banks are monitoring the rogue apps. Post hearing this, I alerted my service provider and I haven't received any serious concern from them as far as my bank is concerned," says Ratan Jyoti, CISO at Ujjivan Bank. "Since I am a customer with other banks as well, I have received the alert through SMS. We too sent mails to all our employees and then alerted our customers as well."
One bank sent the following message to its customers:
How the Malware Works
Researchers at QuickHeal, in a blog post, explain that the if any one of the 232 targeted apps is found on a device infected with the malware, the malware shows a fake notification asking them to click on a link on behalf of the targeted banking app. If the user clicks on the notification, they are shown a fake login screen to steal the user's confidential information, such as their banking login ID and password, the blog states.
The malware can intercept all incoming and outgoing SMSs from the infected device. This enables the attackers to bypass SMS-based two-factor authentication on the victim's bank account.
Once the Android malware is installed, it asks the user to activate administrative rights, says Sanjay Katkar, joint managing director and chief technology officer at Quick Heal Technologies.
"In case the user denies the request or kills the process, the app will keep throwing continuous pop-ups until the user activates the admin privilege," he says. "Once this is done, the malicious app hides its icon soon after the user taps on it."
Although no money apparently has been stolen as a result of the malware infections so far, security practitioners say the matter can't be taken lightly.
"The malware can compromise the user credentials to the banking app, which is a serious concern if found to be replicated in real world. Currently there are no reported cases of money being stolen. The matter can't be taken lightly if user credentials can be compromised this easily," contends Dharshan Shanthamurthy, CEO at SISA Information Security, a payment security specialist firm.
"It's a serious threat for novice mobile users who have this Trojan app installed in their phone," says Bengaluru-based Palani Bala, CTO at Arctos Networks, a cybersecurity service provider. "The overlay screen created by this android Trojan is not 100 per cent look-alike of the login screen of the banking applications. Experienced users can easily pick the difference," Bala says. "Since the malicious Trojan app is distributed only via third- party app stores, users not using apps from unauthorized app stores will not be affected."
Experts say many anti-virus solutions may not help prevent such malware attacks as the viruses are constantly evolving.
"CISOs should run regular attack simulations to measure how vulnerable they are with respect to various attacks like banking trojans and ransomware," Kushwaha says.
Katkar stresses on the importance of user education. "CISOs should alert their customers about the Android Banking Trojan and suggest steps to mitigate the threat," he says.
Users can take the following steps:
- Always keep 'unknown sources' disabled. Enabling this option allows installation of apps from unknown sources;
- Verify app permissions before installing any app even from official stores such as Google Play;
- Install a reliable mobile security app that can detect and block fake and malicious apps before they can infect your device;
- Always keep your device OS and mobile security app up to date.
Katkar believes with the rising acceptance of BYOD, enterprises are also at risk of mobile threats with employees accessing official data on their personal mobile devices. "Giving such a device unrestricted access to personal and official information and at the same time leaving it exposed to infected websites, fake or malicious apps can only spell disaster that could be beyond recovery," he says.
To fight against malware attacks, CISOs should look into areas such as:
- Consider using such technologies as virtual environments, data classification, virtual container approaches and device integrity scanning solutions.
- Deploy enterprise mobility management including mobile device management and mobile application management. These provide "sandboxing" mechanisms to separate out the personal and enterprise applications and data.
- Ensure enterprise data is encrypted and strong authentication mechanisms are installed to make access to the company's network secure.
- Make sure that a BYOD policy is clearly and repeatedly communicated to employees.
Multifactor authentication can also play a critical role in fighting against malware attacks. "In this case two-factor authentication wouldn't have worked because the SMS was sent to the infected mobile device," Shanthamurthy says. "We need to move toward multi-factor authentication which means that the additional factor of authentication should be on an isolated device from the login device."
Jyoti adds: "We can't compromise security for ease of doing online transactions. We can't keep continuing to ignore the warnings."