• Animesh Gupta

Mobile Banking Trojans

Updated: Jul 15, 2018

Every smartphone is a compact computer equipped with its own operating system and software, and so, just like PCs, smartphones are targeted by malware. Mobile banking Trojans are one of the most dangerous species in the malware world: They steal money from mobile users’ bank accounts.

Who is at risk?

People who own gadgets and use banking apps or buy something using application stores or in-app purchases. Android users run the highest risk of being attacked by mobile banking Trojans: 98% of them are designed for this ubiquitous OS.

Throughout 2016 mobile banking Trojans actively attacked users from Russia, Germany, and Australia. Other countries in the top 10 are South Korea, Uzbekistan, China, Ukraine, Denmark, Kyrgyzstan, and Turkey.

Are they really that dangerous?

This type of Trojans is one of the most significant threats of the decade. In 2016 alone, Kaspersky detected more than 77,000 samples of mobile banking installers. This threat shows no sign of fading away any time soon.

How do mobile Trojans infiltrate smartphones and tablets?

Cybercriminals tend to publish malicious apps on third-party app stores, send phishing text messages containing malicious URLs, and sometimes go as far as sneaking into the official Google Play store.

Are you kidding? Even Google Play isn’t safe?

Unfortunately, it isn’t entirely safe. Although the Play Store employs a series of protections, it cannot repel 100% of all threats. Android users are frequently tricked into downloading malicious apps posing as legitimate ones. Such malicious apps include mobile banking Trojans — for example, the notorious Acecard.

How exactly do they steal the money?

Usually it works like that. Once the banking app is launched, the Trojan displays its own interface overlaying the banking app’s interface. As a user inputs credentials, the malware steals the information.

To fool the user, a mobile banking Trojan must be able to impersonate a banking app convincingly. The most effective Trojans can impersonate dozens of banking apps, payment services, and even instant messaging apps.

There is one critical stage in the process of stealing money — hijacking SMS with one-time passwords sent by the bank’s system as part of two-factor authentication. That’s why mobile banking malware needs permission to access SMS, and that’s why you need to be extremely cautious with all apps that request such permission.

Which Trojans are the most dangerous?

OpFake is a very industrious Trojan that mimics the interfaces of almost 100 banking and finance apps. The Acecard family is also very strong: able to impersonate more than 30 banking apps or overlay any app’s interface on command. In 2016, the Asacub, Svpeng, and Faketoken Trojans swarmed Russia.

How can I protect myself?

  • Enable SMS notifications for your mobile bank. Not all banking Trojans hijack SMS, and, in general, it’s a very effective way to monitor your account.

  • Download apps only from official stores: Google Play Store for Android, Apple App Store for iOS, and so forth.

  • Look carefully at the rights each app requests. Those that request permission for access to SMS require further scrutiny.

  • Install an antivirus solution


©2019 Security Unleashed | New Delhi