An Android trojan known as BankBot is targeting hundreds of apps on Google Play in a wide-net effort to steal mobile users' online banking credentials.
BankBot first surfaced earlier this year after its source code was leaked in December. It infiltrates benign programs, hitching a ride to installation on users’ phones. Once opened, it prompts the user to grant it administrative privileges, then hides by removing its shortcut from the home screen.
From there, it can send and intercept texts, obtain contact list phone numbers, track device geolocation via GPS satellites and request additional privileges to do things like make phone calls. And of course, it steals confidential user information by tracking the launch of online banking applications and payment system software. When those applications are launched, it loads a phishing input form on top of the attacked application to capture credentials.
To the user, the apps still work and appear legitimate, because they started off that way. And the bad actors are making the most of that situation. Securify’s Niels Croese, for instance, found that with the Funny Videos 2017 app, someone infected it with the trojan just after the last time it had received an update—giving it the longest possible window for infection. As many as 5,000 users had installed the compromised app before it was updated and the trojan defanged.
Unfortunately, it doesn’t stop with one app, which Google has removed. Croese examined the code and found that the trojan had compromised more than 400 apps available for download on Google Play.
"Consumers have been repeatedly told that only reputable online stores should be used to download apps,” Robert Capps, VP of business development at NuData Security, told us by email. “Yet, this discovery throws that advice into question and leaves the consumer with few options beyond combing reviews, or to download the app directly from the bank’s site where possible. Banking apps are now a fact of life. In 2016, the Federal Reserve reported that banking apps had stable market penetration at around 43% of the mobile phone market. Many mobile phone users not using their phones for banking reported security concerns as part of their reluctance, and trojans like this being found within apps on a major app store only support their concern.”
The issue can be addressed by more than Google’s policing. Banks could offer customers robust account protection that includes a suite of layered authentication technologies that go beyond just username and password credentials.
“These new solutions authenticate users based on their online behaviors; methods that are extremely resistant to impersonation, don’t rely on credential data, and can even provide banks with options to upgrade user experiences for trusted good customers,” Capps added. “These technologies are going to defeat trojans and malware by making the credentials and payment card details the fraudsters go after obsolete. I’d love to get to the point that fraudsters are holding a bag full of nothing, because that is where these new technologies are taking us."