Mobile Cyber Attacks: The Different Facets Of Smartphone Malware

Uploaded on 2022-04-11 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms, BUSINESS-Services-Financial, TECHNOLOGY--Resilience

The number of mobile apps is increasing rapidly, as are the security risks. The TeaBot Remote Access Trojan (RAT), which emerged at the beginning of 2021 and designed to steal victim’s credential and SMS messages, remains rife.

Behavioural biometrics is the key to overcoming the challenge of advances in mobile malware.

In the last decade, the use of mobile devices has increased exponentially. There are now approximately 5.3 billion unique mobile phone users worldwide, with more than 90% of them used to access the internet. Around 40 apps are installed on each mobile device, with the total number of apps downloaded expected to exceed 250 billion by the end of the year.

As the number of mobile devices and apps grows, so too does the spread of cyber attacks, with criminals becoming increasingly focused on banking apps. The methods of mobile infiltration have become increasing diverse, complex, and have the capability to be upgraded – the TeaBot Trojan RAT is no different. The now global TeaBot has infiltrated banks, cryptocurrency exchanges and digital insurance providers, causing damage everywhere it’s found. Behavioural biometrics, however, provides the key to minimising its risk.

Social Engineering On Mobile

For the most part, attacks start with sophisticated social engineering attacks to get the user to download the malware onto his or her end device. These Trojans are often come in the form of phishing emails, text messages or fake apps. 

The Trojan then installs itself and enables the hacker to collect information as well as load further malware. Remote access tools (RAT), for example, enable the criminal to gain administrative access of the device and intercept banking app credentials or even one-time passcodes. 

According to our research, 1 in 24 fraud cases involved a RAT attack. HTML overlay attacks are also used to obtain critical data. In most situations, those who use a banking app on their smartphone are unaware of such actions. 

TeaBot: An Attacker's Chronicle

Malware detection traditionally depended on conventional antivirus technologies that search for the name of suspicious files and regularly check apps and their hashes for malware.  These strategies, on the other hand, have continually hit their limits in recent years. This is because, in order to avoid detection by antivirus software, hackers create malware with a constantly changing file name. 

Last year, the TeaBot malware, also known as Anatsa in Germany, made headlines. The developers of the malicious code try to trick their victim into downloading the malware by disguising it as a supposedly harmless app. TeaBot is equipped with RAT functions and is available in several languages. The banking Trojan is spread via malicious apps outside the Play Store - under names such as VLC MediaPlayer, UPS, and DHL. To spread the malware en masse, the hackers use so-called smishing attacks: Their victim receives an SMS with a link to the app and uses it to download the Trojan. Another method of distribution are fake pop-ups through which TeaBot is downloaded and installed, implementing itself as an Android service and runs in the background. This allows it to nestle permanently in the end device without being detected. After downloading, it acquires broad permissions and instantly begins scanning the applications installed on the device. 

The TeaBot trojan effectively takes over the user’s mobile device by remotely control the victim's smartphone. It has the capability to read SMS messages and forward them to the command-and-control server to bypass OTP (one-time password) precautions. It obtains access authorisations to approve notifications and has logging functions, that can disable Google Play Protect and initiates overlay attacks. Teabot does this by loading a specially crafted login page for the target application from the command-and-control server. The phishing page is placed over the banking app. Here, the user's credentials are collected using keylogging and forwarded to the command-and-control server controlled by the hacker. 

TeaBot mainly targets banking and cryptocurrency apps, but the malware also collects information from other installed apps. It is practically impossible for those affected to delete it. And it can cause a lot of financial damage if a criminal gains access to the login and account data and can use them to make transfers. 

 Behavioural Biometrics: Detecting Mobile Malware

One way to detect TeaBot is to use solutions based on behavioural biometrics. With the help of this technology, banks are able to identify whether it is a real user operating the device or whether the device is being controlled by the malware remotely via RAT. One example of how the malware behaves differently to a genuine user is the navigation speed. When in control of the device, fraudsters controlling the device are very familiar with the payment process and execute payments quickly to avoid being detected by the victim. 

Technologies based on behavioural biometrics match the user's behaviour with previous customer sessions to determine consistency and intent. The way a user holds their mobile device is also another indicating factor: in fraudulent sessions, the device may rest on the table for the entire session, while a real user moves around with their smartphone. Touch and swipe patterns can also be analysed and matched. In the case of a RAT attack, no touch areas are usually visible, which indicates that the terminal is being controlled remotely. If swipe movements on the display are detected at a different location than in previous sessions, this indicates that the real user had no control over the device during the session. 

An alert is delivered to the bank's security experts if the technology identifies a number of fraudulent elements in combination based on behavioural biometrics. With behavioural biometrics and machine learning, financial institutions can thus intervene preventively in a fraud attempt before the customer suffers any financial damage.  

Gemma Staite is  Threat Analytics Lead at BioCatch

You Might Also Read:

The Different Types of Malware:

 

« FOR PEN TESTING – CYRIN’s CYBER RANGE
Russia Hacked Ukrainian Satellite Communications »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

USNA Center for Cyber Security Studies

USNA Center for Cyber Security Studies

The mission of the Center for Cyber Security Studies is to enhance the education of midshipmen in all areas of cyber warfare.

Sparta Consulting

Sparta Consulting

Sparta Consulting is an information management and business development full service provider.

Secure Innovations

Secure Innovations

Secure Innovations is a cybersecurity firm dedicated to providing top-tier cyber security solutions for the Defense and the Intelligence Community.

Cyjax

Cyjax

Cyjax monitors the Internet to identify the digital risks to your organisation, including cyber threats, reputational risks and the Darknet.

IPN (ICT Research Platform Nederlands)

IPN (ICT Research Platform Nederlands)

IPN promotes academic research and education in the ICT field by building and maintaining a national community, and by developing policy to advance the field. Areas of focus include Cyber Security.

NSIT

NSIT

NSIT SAS is a consulting, advisory and service provider in IT systems. Solution areas include networking & infrastructure, IT management & administration, and cyber security.

IEEE Cyber Science and Technology Congress (CyberSciTech)

IEEE Cyber Science and Technology Congress (CyberSciTech)

CyberSciTech provides a platform for scientists, researchers, and engineers to share their latest ideas and advances in the broad scope of cyber-related science, technology, and application topics.

Intercast Global

Intercast Global

Intercast's mission is to be a strategic resource to our clients in Risk Reduction. We are a global leader in cyber security staffing and consulting to the enterprise.

ProSearch Partners

ProSearch Partners

ProSearch Partners are national talent acquisition specialists exclusively focussing on Technology and Digital talent including Cybersecurity, Data Analytics and Execs.

HunCERT

HunCERT

HunCERT's mission is to assist Hungarian Internet Service Providers in applying appropriate procedures to address the risks of computer network incidents and to respond to such incidents.

SEMNet

SEMNet

SEMNet is an IT solutions provider and an infrastructure and security consulting firm.

Gotham Digital Science (GDS)

Gotham Digital Science (GDS)

Gotham Digital Science is an international security services company specializing in Application and Network Infrastructure security, and Information Security Risk Management.

Anxinsec

Anxinsec

Anxinsec Technology is a security solution and service provider with a focus on new technology and innovations in cybersecurity.

iSPIRAL IT Solutions

iSPIRAL IT Solutions

iSPIRAL is a leading regulatory technology software provider delivering state-of-art AML, KYC, Risk and Compliance solutions.

Flare Systems

Flare Systems

Flare proactively detects and remediates exposure across the clear & dark web, providing organizations with the equivalent of an automated cyber reconnaissance team.

Palindrome Technologies

Palindrome Technologies

Palindrome Technologies help clients defend against cyberattacks across all attack surfaces, including hardware, software, network-to-cloud, people, and emerging technologies.