MOBILE MALWARE FRAUD

The spread of apps for mobile devices is increasing rapidly – and with it, the security risks. Mobile malware mainly targets banking apps. In a guest article, such attacks can be expensive for users, explains Klaus Joachim Gährs, Senior Account Manager at BioCatch.

The use of mobile apps has steadily increased in recent years. According to a report by Adjust, the download rate had already doubled in 2020 compared to the previous year. On average, every smartphone owner installed around 40 apps on their device – and the trend is rising. According to the study, another 250 billion apps could be downloaded by this year.

With the spread of apps, the number of cyberattacks on mobile devices is also increasing. The methods are diverse. In addition to sophisticated social engineering attacks that trick users into downloading malware onto their phones, fake applications are rising on both official and unofficial app marketplaces. Once an app has been downloaded, a Trojan installs itself and enables cybercriminals to spy on information or download additional malware. For example, suppose the hacker implements a Remote Access Trojan (RAT) on the smartphone. In that case, it can take administrative control of the device and intercept login data for a banking app or one-time passwords. The user does not notice anything at first. An investigation according to BioCatch, in Q2 2021, 1 in 24 fraud cases was a RAT attack.

Insight into a FluBot attack

An example of mobile malware is the FluBot Trojan, which spread widely in Germany at the beginning of the year. The malware is mainly used to steal bank, contact, SMS, and other private data and was first discovered in early 2020. To generate a large reach, i.e., to infect as many devices as possible, the hackers use social engineering attacks. Those affected usually receive an SMS message from a supposed parcel deliverer that contains a phishing link. If the person clicks on the link, they will be directed to a fake website. The malicious code is called Android-Service implemented on the smartphone and operated in the background. As a result, it can permanently nest in the end device without being recognized. After downloading, it gets broad privileges and immediately starts scanning the applications installed on the device. The Trojan also initiates so-called overlay attacks, which trick the victim into entering their credentials on the fake interface. This is how the hacker eventually gets sensitive information such as bank details. Flubit is also able to steal cryptocurrencies. It is difficult for those affected to recognize and delete the Trojan. And if criminals gain access to login and account information, they can make money transfers on behalf of their victims, causing significant financial damage.

The detection of malware on mobile devices relies primarily on standard antivirus technologies that look for the name of a suspicious file and regularly check apps and their hashes for malware. However, this method has repeatedly reached its limits in recent years. Because to bypass the antivirus scan, the hackers design their malware so that its file name changes continuously. The list of malware they use to attack mobile devices is also getting longer and the methods more sophisticated. Since mobile devices have been increasingly used for banking transactions in the past two years, it can be assumed that malware for smartphones will increasingly circulate in the future.

Detect mobile malware with behavioral biometrics

Procedures based on behavioral biometrics can help. This can detect when a cybercriminal has exfiltrated the bank details through mobile malware and is making transfers. With the help of artificial intelligence and machine learning, security experts can distinguish real users from scammers. For example, a criminal navigates a transaction faster on the end device because he is familiar with the process and enters the stolen data into the transfer mask by copying and pasting. Changed touch and swipe patterns are also an indicator if they deviate from original sessions. This may indicate that the user had no control over the mobile device because a remote access Trojan was injected into the smartphone. Thus, the end device was in a flat position for the entire duration of an account session in the event of a fraud attempt via RAT. In comparison, the real user moves the smartphone, i.e., the posture changes several times during a session.

By analyzing the touch and swipe patterns of fraudulent and genuine sessions and then comparing them to the actual account holder’s past activities, typical schemas emerge:

• No touch is made in any area on the smartphone. This indicates a RAT attack in which the device is controlled remotely.
• Swipes are in a different location on the screen than in previous account sessions. This suggests that the user has no control over the device during the session.
• The device is kept in the same position throughout the session, for example, lying on the table. A real user would move the smartphone.

If the software detects several fraudulent characteristics based on behavioral biometrics and machine learning, the bank’s security experts will receive an alarm. This allows financial institutions to intervene in a fraud attempt as a precaution before the customer and the bank suffer economic damage.