Support 416-591-6711 option 1 or Email Us

Trojan Banking: Breaching Mobile Cybersecurity Fortresses

Mon, 24 Jun 2019

“Do not trust the horse, Trojans. Whatever it is, I fear the Greeks even when they bring gifts.” – Virgil, Aeneid[1]

 Trojan Banking: Breaching Mobile Cybersecurity FortressesThe Trojan War had gone on for ten years when the Trojans believed that they'd finally won. Wine flowed, armour came off, and the city of Troy took to celebrating. However, the Greeks would have the last laugh. Enter the Trojan horse. The Greeks built a gigantic wooden horse with an empty belly wherein Greek soldiers could hide. The Greeks gave it to the Trojans, convincing them it was a peace offering. The Trojans accepted the thoughtful gift, pulling it to the centre of their fortified city. That night, after the Trojan's celebratory wine had run dry, and the warriors fell into a deep sleep, the Greeks emerged from the horse's stomach and proceeded to slaughter the Trojans.

Now, fast forward a few millennia to the present day. 

You’re a Trojan.

Cybercriminals are the Greeks (just in this analogy – no angry comments, please).

That horoscope themed app you just downloaded from Google Play – that was the Trojan Horse.

Banking Trojans

A cyber Trojan horse, known merely as a Trojan, is mobile malware that has been disguised as a genuine mobile app to lure people into installing it. Once installed, the mobile apps either state an error has occurred, and a message that the mobile app has been removed due to incompatibility appears before the app hides from view, or it does what it says it will and displays your horoscope.

Your horoscope prediction should read "Compromised mobile banking ahead, expect decreases in wealth."

No matter which way the mobile app behaves, once launched it is used to steal personal data, banking, and other financial credentials. The Trojan can also bring keylogging as well as other spyware onto your mobile device. Trojans are remote-controlled, capable of dynamically targeting other apps on your mobile device. They can also intercept and redirect text messages, allowing the malware to bypass SMS-based two-factor authentication, intercept mobile call-logs, and download and install other malicious apps on the infected mobile device. 

Banking Trojans are very devious. They are evil, masked as something fun, useful and of course, harmless. They disguise themselves as mobile battery managers, weather apps, video players, brain games and of course, horoscopes. They attempt to sneak around the mobile device unbeknownst to the user collecting all the information, permissions and rights required to execute their slaughter – sliding a fake banking login screen over their legitimate banking app and steal their username and password. Users probably don’t realize anything is happening until an insufficient funds warning pops us when they try and make a purchase from the account.

Fake Banking Apps

Banking Trojans are not to be confused with phony mobile banking apps which are more straightforward. They are just apps that try and convince users that they are what they appear - legitimate banking apps. Once downloaded and installed a user will launch a fake banking app and be greeted by a regular banking login screen. The user's banking credentials are submitted, and then the criminal harvests them. Victims know right away that they've been duped as there is nothing more than a login screen to the app.

You should be wary of fake mobile banking apps but fear the more covert banking Trojans.

 Trojan Banking: Breaching Mobile Cybersecurity Fortresses

The Trojan threat infiltration

With a growing population of people online banking from mobile devices, stealing banking and financial information from mobile devices is also on the rise. Between June and September of 2018, McAfee detected a two-times increase in mobile banking Trojans. In December of 2018, there was a further 75% spike.[2] Part of this growth is because cybercriminals are adapting to security restrictions finding new, stealthy ways to dodge Google security. During this same period, a set of 29 Trojans were located in the official Android store disguised as “useful” apps. These apps all belonged in the category of sophisticated mobile banking malware with complex functionality and a heavy focus on stealth. The 29 mobile apps in question have all been removed from the official Android store. Before the Trojan banking apps were pulled, approximately 30,000 users installed them.[3] 

According to a new study from Varonis, an ISA partner, there’s a new strain of the Qbot banking Trojan infecting at least 1,700 computers in the U.S. and 58 in Canada (and thousands more globally). This Trojan, like others, steals personal and corporate online banking login credentials.[4] McAfee predicts that Android banking Trojans will continue evolving and adapting to bypass cybersecurity measures inside and outside of Google Play. Banking Trojans are a vast source of revenue for cybercriminals. Therefore, they will continue to develop them. McAfee says that banking Trojans "success in getting onto mobile devices means they will also explore adding additional forms of revenue like ransomware, ad click fraud, and acting as a download conduit for other types of malware.”[5] Sreenu Pillutla, Sr. Director, Software Engineering, McAfee states that “As long as Banking Trojans are able to pretend to be legitimate banking and financial apps, cybercriminals will continue to improve its distribution methods to reach its victims and generate as much fraudulent revenue as possible”[6]

How do you protect your device from Trojan banking apps?

Here are five rules for avoiding Trojan banking and fake banking apps:

Rule one: Steer clear of unofficial app stores as much as possible.

Rule two: Always have the “installation of apps from unknown sources” setting on your device disabled. 

Rule three: Pay attention to an app’s reputation on Google Play (read reviews, look for feedback). Negative reviews are a big, red flag.

Rule four: After you’ve installed a new app on your mobile device, pay attention to how it’s behaving. 

Rule five: You should only download banking and financial apps to your mobile device that you can link to from the official financial institution's website. Seeking out specific apps that you need, instead of downloading apps you stumble across is safe cybersecurity practice and helps to avoid malware of every kind.

Also, it's important to practice good mobile cybersecurity hygiene on your mobile devices.

Good mobile cybersecurity hygiene includes:

  • Strong PINS and Passwords are the first lines of cybersecurity defence
  • Disable features when you aren’t using them, like Wi-Fi, GPS, and Bluetooth.
  • The latest software, web browser and OS are the best defences against cybercrime. If there's an update available for your operating system or an app, then get on that.
  • Phishing scams get user's personal and banking information by tricking them into clicking on a link. The link can be emailed, sent via text, or through an app. If it's sketchy, don't click.
  • Put anti-virus protection and firewalls between any web-enabled device and the world.
  • Get in the cybersecurity habit

o   Do not leave your phone unattended. 

o   Are you ditching your device for the newest model? Delete everything. Leave no app unturned.

o   Using your device, cover your keyboard or password from spying eyes.

o   Only do your online banking or any other critical online tasks that involve sensitive data, on a trusted secure network.

o   Do not use “Remember Me” features. It’s a pain but take the time to type in your unique ID and password for each of your multitude of social media sites.

o   Make a checkup date with your mobile devices. Set the alarm, or add a reminder to your calendar, to change your password, cleanse your apps, or check for updates.

For more information on good mobile cybersecurity hygiene, check out this article. Good cybersecurity hygiene helps to protect your device from all malware. The old saying is don’t look a gift horse in the mouth – the Trojans and ISA both advise you (based on experience) to look a gift horse in the belly, and a gift app in the user interface.



‹ Back