Anti-Malware , Breach Preparedness , Data Breach

Android Mobile Banking Malware Risk Worsens

Why Mobile Banking Apps Need Stronger Authentication
Android Mobile Banking Malware Risk Worsens

A new report from security firm FireEye that says the mobile banking Trojan dubbed SlemBunk is rapidly becoming more sophisticated illustrates why mitigating mobile malware risks must be an urgent priority for banks this year (see Updated Mobile Malware Targets Android).

See Also: Vulnerability Management with Analytics and Intelligence

In light of the growing threat, banks need to require their customers to use biometric authentication for mobile banking and help them to install technologies that can detect the presence of malware on mobile devices, some security experts advise.

"Mobile malware in general should be of concern to financial institutions," says financial fraud expert Julie Conroy, research director at the consultancy Aite. "As the mobile channel continues to grow - JPMorgan Chase's earnings announcement [Jan. 14] said their mobile bankers had grown 20 percent year-over-year to 23 million - criminals are following the money. We're seeing not only the number of strains of mobile malware increase, but also the portion of them that are malicious. I'm speaking with many banks that are actively working on deploying technologies that can shield mobile banking sessions from malware."

FireEye: Android Devices Targeted

Last month, FireEye published a report about the SlemBunk malware strain, which is designed to attack Android devices and steal mobile banking login credentials. At the time the report was published, FireEye had identified 170 SlemBunk samples in the wild that targeted users of more than 30 mobile banking applications. Attacks were identified in North America, Europe, and Asia Pacific.

In an update provided in a Jan. 13 blog, FireEye says SlemBunk's attack chain is much longer than originally reported. Three malicious mobile apps have to be downloaded before the attack is complete, the firm says. That makes it much more difficult for analysts and researchers to trace these attacks back to their origin. "Thus, the malware can have a more persistent existence on the victim's device," FireEye adds.

"Those Trojan apps masquerade as common, popular applications and stay incognito after running for the first time," FireEye said in its Dec. 17 report. "They have the ability to phish for and harvest authentication credentials when specified banking apps are launched."

Jimmy Su, senior staff software development engineer at FireEye, says SlemBunk's capabilities have become far more sophisticated. "Both obfuscation and the distribution channel have become more sophisticated in the past two to three weeks," he says. "The technique can be used to target any bank or credit union that has its own mobile app. Minimal amount of code changes are needed to target a new bank or credit union."

To help minimize those emerging risks, Su recommends that banking institutions implement two-factor authentication for mobile and online-banking, provide or suggest mobile threat prevention services to their customers and use location and Internet protocol information to identify anomalies in users' log-in behavior for mobile and online banking.

More Mobile Attacks on Way

Consumers' use of mobile banking surpassed in-branch banking for the first time in 2015, proving that mobile is increasingly users' preferred banking channel, says Al Pascual, senior vice present and research director at Javelin Strategy & Research .

"Banking malware will only become more popular in the mobile space as it becomes consumers' channel of choice," Pascual says. "SlemBunk's focus on gleaning credentials should incite banks to move more quickly toward instituting biometric authentication in the mobile channel, as well as to bolster their online authentication to prevent effective misuse of any data compromised from a mobile banking session.

"We continue to have problems with banking malware and passwords, and now that has migrated to the mobile channel. At this point, everyone knows the lesson; it's just a question of deciding to act on it."

How the Trojan Spreads

FireEye has not identified any of the banking institutions or payments providers whose apps have been targeted by Slembunk. But it has offered details about how the Trojan spreads.

Like many other types of malware, the latest versions of SlemBunk are primarily distributed through drive-by downloads, such as from pornography websites. In many cases, users are prompted to download a fake Adobe Flash update that is malicious, FireEye notes.

In its Jan. 13 blog about additional concerns linked to SlemBunk, FireEye points out that configurable network computing servers also are being used to wage SlemBunk attacks - an additional layer of the attack chain FireEye did not identify during its first analysis.

"Our additional research also identified the URLs of a few CnC [command and control] servers for this campaign," FireEye writes in its blog. "We looked into the communication protocol between the SlemBunk apps and the CnC server by studying relevant code and monitoring the exchanged messages. It reveals that SlemBunk is developing into a more organized campaign with highly customized CnC servers, including the use of what appears to be an administration panel to manage the campaigns. The registration records of the relevant domains suggest that this campaign activity is very recent, still ongoing, and possibly evolving into different forms."

What's more, FireEye says this combined use of drive-by download distribution and CnC server communication suggests that the SlemBunk campaign is well-organized and continues to evolve.

"The administrative interface hosted on the CnC server implies that the CnC server is customizable and that the SlemBunk payload can easily adapt per the attacker's specifications," FireEye says. "Second, the timeline information for the domains associated with this attack showed that this campaign is very recent, still ongoing and very likely to continue evolving into different forms."

Security firm and consultancy iSIGHT Partners says Android malware "presents a significant threat to targeted entities and mobile device users."

"iSIGHT Partners has documented a number of Android malware families and, while we have not specifically identified the Trojan that FireEye terms 'SlemBunk,' we believe it is related to a series of Android malware authored by GanjaMan," the company says. "SlemBunk shares similarities in functionality to several malware types developed by this actor."


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network