Mobile Cyber Attacks: The Different Facets Of Smartphone Malware

The number of mobile apps is increasing rapidly, as are the security risks. The TeaBot Remote Access Trojan (RAT), which emerged at the beginning of 2021 and designed to steal victim’s credential and SMS messages, remains rife.

Behavioural biometrics is the key to overcoming the challenge of advances in mobile malware.

In the last decade, the use of mobile devices has increased exponentially. There are now approximately 5.3 billion unique mobile phone users worldwide, with more than 90% of them used to access the internet. Around 40 apps are installed on each mobile device, with the total number of apps downloaded expected to exceed 250 billion by the end of the year.

As the number of mobile devices and apps grows, so too does the spread of cyber attacks, with criminals becoming increasingly focused on banking apps. The methods of mobile infiltration have become increasing diverse, complex, and have the capability to be upgraded – the TeaBot Trojan RAT is no different. The now global TeaBot has infiltrated banks, cryptocurrency exchanges and digital insurance providers, causing damage everywhere it’s found. Behavioural biometrics, however, provides the key to minimising its risk.

Social Engineering On Mobile

For the most part, attacks start with sophisticated social engineering attacks to get the user to download the malware onto his or her end device. These Trojans are often come in the form of phishing emails, text messages or fake apps. 

The Trojan then installs itself and enables the hacker to collect information as well as load further malware. Remote access tools (RAT), for example, enable the criminal to gain administrative access of the device and intercept banking app credentials or even one-time passcodes. 

According to our research, 1 in 24 fraud cases involved a RAT attack. HTML overlay attacks are also used to obtain critical data. In most situations, those who use a banking app on their smartphone are unaware of such actions. 

TeaBot: An Attacker's Chronicle

Malware detection traditionally depended on conventional antivirus technologies that search for the name of suspicious files and regularly check apps and their hashes for malware.  These strategies, on the other hand, have continually hit their limits in recent years. This is because, in order to avoid detection by antivirus software, hackers create malware with a constantly changing file name. 

Last year, the TeaBot malware, also known as Anatsa in Germany, made headlines. The developers of the malicious code try to trick their victim into downloading the malware by disguising it as a supposedly harmless app. TeaBot is equipped with RAT functions and is available in several languages. The banking Trojan is spread via malicious apps outside the Play Store - under names such as VLC MediaPlayer, UPS, and DHL. To spread the malware en masse, the hackers use so-called smishing attacks: Their victim receives an SMS with a link to the app and uses it to download the Trojan. Another method of distribution are fake pop-ups through which TeaBot is downloaded and installed, implementing itself as an Android service and runs in the background. This allows it to nestle permanently in the end device without being detected. After downloading, it acquires broad permissions and instantly begins scanning the applications installed on the device. 

The TeaBot trojan effectively takes over the user’s mobile device by remotely control the victim's smartphone. It has the capability to read SMS messages and forward them to the command-and-control server to bypass OTP (one-time password) precautions. It obtains access authorisations to approve notifications and has logging functions, that can disable Google Play Protect and initiates overlay attacks. Teabot does this by loading a specially crafted login page for the target application from the command-and-control server. The phishing page is placed over the banking app. Here, the user's credentials are collected using keylogging and forwarded to the command-and-control server controlled by the hacker. 

TeaBot mainly targets banking and cryptocurrency apps, but the malware also collects information from other installed apps. It is practically impossible for those affected to delete it. And it can cause a lot of financial damage if a criminal gains access to the login and account data and can use them to make transfers. 

 Behavioural Biometrics: Detecting Mobile Malware

One way to detect TeaBot is to use solutions based on behavioural biometrics. With the help of this technology, banks are able to identify whether it is a real user operating the device or whether the device is being controlled by the malware remotely via RAT. One example of how the malware behaves differently to a genuine user is the navigation speed. When in control of the device, fraudsters controlling the device are very familiar with the payment process and execute payments quickly to avoid being detected by the victim. 

Technologies based on behavioural biometrics match the user's behaviour with previous customer sessions to determine consistency and intent. The way a user holds their mobile device is also another indicating factor: in fraudulent sessions, the device may rest on the table for the entire session, while a real user moves around with their smartphone. Touch and swipe patterns can also be analysed and matched. In the case of a RAT attack, no touch areas are usually visible, which indicates that the terminal is being controlled remotely. If swipe movements on the display are detected at a different location than in previous sessions, this indicates that the real user had no control over the device during the session. 

An alert is delivered to the bank's security experts if the technology identifies a number of fraudulent elements in combination based on behavioural biometrics. With behavioural biometrics and machine learning, financial institutions can thus intervene preventively in a fraud attempt before the customer suffers any financial damage.  

Gemma Staite is  Threat Analytics Lead at BioCatch

You Might Also Read:

The Different Types of Malware:

 

« FOR PEN TESTING – CYRIN’s CYBER RANGE
Russia Hacked Ukrainian Satellite Communications »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CoSoSys Endpoint Protector

CoSoSys Endpoint Protector

Endpoint Protector by CoSoSys is an advanced all-in-one DLP solution for Windows, macOS, and Linux, that puts an end to unintentional data leaks and protects from malicious data theft.

Lares Consulting

Lares Consulting

Lares is a security consulting firm that helps companies secure electronic, physical, intellectual, and financial assets through a unique blend of assessment, testing and coaching.

ClickDatos

ClickDatos

ClickDatos specializes in consulting, auditing, data protection training, accredited by ISO/IEC 27001 certification.

CERT NZ

CERT NZ

CERT NZ supports businesses, organisations and individuals affected by cyber security incidents, and provide trusted and authoritative information and advice.

VietSunshine

VietSunshine

VietSunshine is a leading provider of network security infrastructure and solutions in Vietnam.

R2S Technologies

R2S Technologies

R2S can help you implement a cyber security framework to ensure your business is more resilient towards the growing threat of cyber crime. We provide Web and Mobile Application Security Assessment..

MrLooquer

MrLooquer

MrLooquer provide a solution to automatically discover the assets of organizations on the internet, determine the level of exposure to attacks and help to manage risk accurately.

UPX Technologies

UPX Technologies

UPX Technologies is one of the largest digital security centers in Brazil providing full protection for data, networks and content.

Axcient

Axcient

Axcient offers MSPs the most secure backup and disaster recovery technology stack with a proven Business Availability suite.

SyncDog

SyncDog

SyncDog is a leader in enterprise security and the preeminent vendor for containerized mobile application security across cloud & on-premise computing environments.

Hexaware Technologies

Hexaware Technologies

Hexaware is an automation-led next-generation service provider delivering excellence in IT, BPO and Consulting services.

BitTrap

BitTrap

BitTrap helps companies worldwide detect attackers and put an early end to breaches, preventing data exfiltration and ransomware altogether.

Aunalytics

Aunalytics

Aunalytics is a data platform company that delivers insights as a service to answer your most important IT and business questions.

Labaton Sucharow

Labaton Sucharow

Standing on the horizon of law and technology, our Cybersecurity and Data Privacy Practice helps to protect consumers who have been harmed by businesses’ failures to safeguard their customers' data.

Zyxel Networks

Zyxel Networks

Zyxel Networks is a leading provider of secure, AI-powered networking solutions for small to medium businesses (SMBs) and the enterprise edge.

Adsigo

Adsigo

Adsigo AG is your reliable and professional partner for all topics concerning PCI certification, compliance and information security.