The report: Mobile Banking Heists Report [December 2023]
Source: Zimperium
Why we picked it: The proliferation of mobile banking apps creates new and complex vulnerabilities in the nexus between mobile technology and its users. Effective defense will require that banks keep pace both with the increasing sophistication of actors and the evolving, sometimes reckless behavior of mobile banking customers.
Executive Summary
Fueled by consumer preference and personalized experiences, the mobile banking market is outpacing online banking across all age groups and is projected to reach $7 billion by 2023.
At the same time, mobile accounts for an ever-greater portion of fraud: one in 20 fraud attacks can now be traced back to a rogue mobile application.
In its 2023 Mobile Banking Heists Report, mobile security company Zimperium analyzed 24,000 unique samples of mobile device malware infections and identified 29 malware families targeting 1,800 mobile banking apps.
Monitoring millions of devices, it also found that 9% had been affected by malware, with banking trojans affecting a fifth of these devices. In 2023, Zimperium found troubling numbers of malware with new capabilities to evade security, avoid detection, and steal bank credentials. As these threats mount, banks will need to adopt new best practices and defenses to protect consumers and their own brand reputation.
Key Takeaways
- In over 29 malware families researched, 61% of the 2,100 of the variants targeted banks while 39% targeted fintechs or trading apps.
- Financially motivated threat actors have most of their sites on U.S. institutions, with Wells Fargo, Bank of America, and Capital One among the most targeted.
- Godfather, one of the most prolific malwares, has more than 1,000 known variants and targets 237 banking apps in 57 countries.
What we liked: Zimperium identifies the main threats and illustrates how malware uses new capabilities to take over accounts and make unauthorized transfers — and offers good data into how malicious actors are exploiting banking apps.
What we didn’t: The report is rather short on solutions. Zimperium offers just three “best practices”:
- Implement advanced code protection techniques;
- Enable runtime visibility across threat vectors; and
- Deploy on-device protection
All are likely already familiar to most SOCs and IT teams. More on these below.
The Malware Threat is Evolving Rapidly
Looking back: Malware has been advancing every year, and malware families are continually spawning new variants. More than half of the malware families researched already had advanced keylogging, screen overlay, accessibility, and SMS-stealing capabilities.
Zimperium found that most banking apps lack adequate protection against reverse engineering and tampering, allowing threat actors to reverse them quickly, create clones with banking malware, and distribute them via social engineering.
Ransomware will target consumers next: Ransomware is now present in 59% of all incidents with a financial motivation, and consumers should expect to see more ransomware capabilities within mobile banking malware.
“In an era where mobile is the digital channel of choice for banking, understanding the anatomy, impact, and trends of mobile banking malware is essential to building secure mobile banking apps that garner customer trust and thrive in a hyper-competitive environment.”
The broader economic impact: Last year, nearly 60% of the fraudulent banking transactions were initiated via a mobile device. As mobile banking malware continues to evolve and undermine traditional security, the risks for banks will continually rise.
This will lead to increased operational costs, diminished consumer confidence, and brand impact. It will also drive financial losses for consumers with a greater burden to protect themselves and their devices.
Meanwhile, as banking malware harvests a broad range of personal data, it can lead to long-term risk of identity theft and personal privacy invasion.
New Threats to Banking Apps: Latest Techniques
This year’s report noted several new high-profile threats to mobile banking apps:
MaaS: Malware-as-a-Service is transforming cybercrime, offering subscriptions and toolkits to new criminals to enter the market and deploy advanced attacks. Nexus is one of the banking malware families distributed under this model and is often used for account takeover attacks.
Automated Transfer System (ATS) technique: Malware often uses an Automated Transfer System to transfer unauthorized funds from a victim’s account without raising suspicion. It first harvests credentials and checks account balances.
It then initiates a transaction, uses an MFA token capture, and executes the transaction, sending the funds to a predetermined account controlled by the attackers. Finally, the ATS deletes transaction-related SMS alerts or notifications, making it hard for the victim to detect the fraud. The PixPirate malware often uses ATS to execute unauthorized money transfers.
TOAD: Telephone-Oriented Attack Delivery is a social engineering attack that tricks victims into a phone conversation with the attacker. The “agent” takes the victim through a series of steps to download and install malware on the device, which enables them to perform unauthorized transactions, data theft, and other fraud. The Copybara malware typically uses TOAD in combination with traditional phishing to capture credentials and takeover accounts.
Screen sharing abuse: While screen sharing is a legitimate activity, it can also be used for malicious purposes. In mobile banking trojans, the malware can remotely access and manipulate a user’s device, including their banking app, to carry out unauthorized transactions or steal information. Hook malware uses screen sharing to be a particularly potent and malicious threat in mobile banking trojans to support account takeover and fraud.
Best Practices and Defenses
There are several best practices that financial institutions and their dev teams can adopt to protect their apps from malware.
Protection must match threat sophistication: Given the advancements of the threats, mobile app security teams must prioritize advanced code protection techniques to impede the reverse engineering and tampering of mobile applications. This not only deters the creation of targeted malware but also reduces the likelihood of scalable fraud. By elevating the security posture, the cost and effort of attacking the application will outweigh the potential gains for the attacker.
Runtime visibility for threat monitoring and modeling: Security and development teams often lack visibility into threats and operate in the dark. To close this gap, mobile application security leaders can enable runtime visibility across various threat vectors, including device, network, application, and phishing. This will help them better identify and report risks and attacks and pave the way for continuous threat monitoring and rapid response.
On-device protection: As the ability to respond effectively and in real-time is critical, mobile application security leaders should prioritize on-device protection mechanisms to take immediate action upon detecting a threat. This ability should be autonomous, requiring no dependency on network connectivity or back-end server communication.
Finally, Consumers Must Protect Themselves
While accessibility permissions on Android were originally designed to help users with disabilities, they can also be risky because they give apps broad control over a device’s functionalities.
Banking trojans often ask for features to automate transactions, capture sensitive data, and overlap fake login screens. Consumers should be extremely cautious when downloading Android apps from third-party app stores.
Craig Guillot is a longtime contributor to The Financial Brand who specializes in technology. He often writes about IoT, cybersecurity and SaaS. His work has appeared in The Wall Street Journal, Entrepreneur and elsewhere.