Mobile Cyber Attacks: The Different Facets Of Smartphone Malware

Uploaded on 2022-04-11 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms, BUSINESS-Services-Financial, TECHNOLOGY--Resilience

The number of mobile apps is increasing rapidly, as are the security risks. The TeaBot Remote Access Trojan (RAT), which emerged at the beginning of 2021 and designed to steal victim’s credential and SMS messages, remains rife.

Behavioural biometrics is the key to overcoming the challenge of advances in mobile malware.

In the last decade, the use of mobile devices has increased exponentially. There are now approximately 5.3 billion unique mobile phone users worldwide, with more than 90% of them used to access the internet. Around 40 apps are installed on each mobile device, with the total number of apps downloaded expected to exceed 250 billion by the end of the year.

As the number of mobile devices and apps grows, so too does the spread of cyber attacks, with criminals becoming increasingly focused on banking apps. The methods of mobile infiltration have become increasing diverse, complex, and have the capability to be upgraded – the TeaBot Trojan RAT is no different. The now global TeaBot has infiltrated banks, cryptocurrency exchanges and digital insurance providers, causing damage everywhere it’s found. Behavioural biometrics, however, provides the key to minimising its risk.

Social Engineering On Mobile

For the most part, attacks start with sophisticated social engineering attacks to get the user to download the malware onto his or her end device. These Trojans are often come in the form of phishing emails, text messages or fake apps. 

The Trojan then installs itself and enables the hacker to collect information as well as load further malware. Remote access tools (RAT), for example, enable the criminal to gain administrative access of the device and intercept banking app credentials or even one-time passcodes. 

According to our research, 1 in 24 fraud cases involved a RAT attack. HTML overlay attacks are also used to obtain critical data. In most situations, those who use a banking app on their smartphone are unaware of such actions. 

TeaBot: An Attacker's Chronicle

Malware detection traditionally depended on conventional antivirus technologies that search for the name of suspicious files and regularly check apps and their hashes for malware.  These strategies, on the other hand, have continually hit their limits in recent years. This is because, in order to avoid detection by antivirus software, hackers create malware with a constantly changing file name. 

Last year, the TeaBot malware, also known as Anatsa in Germany, made headlines. The developers of the malicious code try to trick their victim into downloading the malware by disguising it as a supposedly harmless app. TeaBot is equipped with RAT functions and is available in several languages. The banking Trojan is spread via malicious apps outside the Play Store - under names such as VLC MediaPlayer, UPS, and DHL. To spread the malware en masse, the hackers use so-called smishing attacks: Their victim receives an SMS with a link to the app and uses it to download the Trojan. Another method of distribution are fake pop-ups through which TeaBot is downloaded and installed, implementing itself as an Android service and runs in the background. This allows it to nestle permanently in the end device without being detected. After downloading, it acquires broad permissions and instantly begins scanning the applications installed on the device. 

The TeaBot trojan effectively takes over the user’s mobile device by remotely control the victim's smartphone. It has the capability to read SMS messages and forward them to the command-and-control server to bypass OTP (one-time password) precautions. It obtains access authorisations to approve notifications and has logging functions, that can disable Google Play Protect and initiates overlay attacks. Teabot does this by loading a specially crafted login page for the target application from the command-and-control server. The phishing page is placed over the banking app. Here, the user's credentials are collected using keylogging and forwarded to the command-and-control server controlled by the hacker. 

TeaBot mainly targets banking and cryptocurrency apps, but the malware also collects information from other installed apps. It is practically impossible for those affected to delete it. And it can cause a lot of financial damage if a criminal gains access to the login and account data and can use them to make transfers. 

 Behavioural Biometrics: Detecting Mobile Malware

One way to detect TeaBot is to use solutions based on behavioural biometrics. With the help of this technology, banks are able to identify whether it is a real user operating the device or whether the device is being controlled by the malware remotely via RAT. One example of how the malware behaves differently to a genuine user is the navigation speed. When in control of the device, fraudsters controlling the device are very familiar with the payment process and execute payments quickly to avoid being detected by the victim. 

Technologies based on behavioural biometrics match the user's behaviour with previous customer sessions to determine consistency and intent. The way a user holds their mobile device is also another indicating factor: in fraudulent sessions, the device may rest on the table for the entire session, while a real user moves around with their smartphone. Touch and swipe patterns can also be analysed and matched. In the case of a RAT attack, no touch areas are usually visible, which indicates that the terminal is being controlled remotely. If swipe movements on the display are detected at a different location than in previous sessions, this indicates that the real user had no control over the device during the session. 

An alert is delivered to the bank's security experts if the technology identifies a number of fraudulent elements in combination based on behavioural biometrics. With behavioural biometrics and machine learning, financial institutions can thus intervene preventively in a fraud attempt before the customer suffers any financial damage.  

Gemma Staite is  Threat Analytics Lead at BioCatch

You Might Also Read:

The Different Types of Malware:

 

« FOR PEN TESTING – CYRIN’s CYBER RANGE
Russia Hacked Ukrainian Satellite Communications »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Ascentor

Ascentor

Ascentor specialises in independent information and cyber security consultancy. We’re experienced industry experts, providing cyber security services since 2004.

Techmeme

Techmeme

Techmeme is an online news curation service focused on leading edge technology, including cyber security.

Institute for Critical Infrastructure Technology (ICIT)

Institute for Critical Infrastructure Technology (ICIT)

ICIT is a leading cybersecurity think tank providing objective research, advisory, and education to legislative, commercial, and public-sector cybersecurity stakeholders.

ATSEC Information Security

ATSEC Information Security

ATSEC is an independent, privately-owned company that focuses on providing laboratory and consulting services for information security.

Flexential

Flexential

Flexential helps organizations optimize their journey of IT transformation while simultaneously balancing cost, scalability, compliance and security.

LIFARS

LIFARS

LIFARS is a global leader in Digital Forensics and Cyber Resiliency Services.

Virtru

Virtru

Virtru's Data Protection platform protects and controls sensitive information regardless of where it's been created, stored or shared.

Consortium for Information & Software Quality (CISQ)

Consortium for Information & Software Quality (CISQ)

The mission of CISQ is to develop international standards for software quality and to promote the development and sustainment of secure, reliable, and trustworthy software.

Vijilan Security

Vijilan Security

Vijilan provides 24/7 SOC services to MSPs/VARs. Our Security Operations Center is global, and our services are exclusive to the Channel.

usecure

usecure

usecure is a global provider of computer-based cyber security awareness training, offering the market’s most time-efficient, cost-effective and admin-lite solution for reducing insider threats.

PacketViper

PacketViper

PacketViper’s Deception360 actively defends networks with deception-based threat detection and automated response to both external and internal cyber threats.

Lupovis

Lupovis

Lupovis is an AI-based deception solution that deploys active decoys turning your network from a flock of sheep to a pack of wolves where the hunter becomes the hunted.

ViewQwest

ViewQwest

ViewQwest is a regional telecommunications & information technology services company. We specialize in providing Connectivity, Managed Network, Managed SD-WAN, and Managed Security solutions.

iManage

iManage

iManage's intelligent, cloud-enabled, secure knowledge work platform enables organizations to uncover and activate the knowledge that exists inside their business.

Lodestone

Lodestone

Lodestone partners with clients to help them mitigate business and reputational risk, through our human-based, approach to cyber security, digital forensics and incident response.

Elastio

Elastio

Elastio's cloud-native platform safeguards cloud data from the risks posed by ransomware, application failures and storage security vulnerabilities.