Mobile Cyber Attacks: The Different Facets Of Smartphone Malware

Uploaded on 2022-04-11 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms, BUSINESS-Services-Financial, TECHNOLOGY--Resilience

The number of mobile apps is increasing rapidly, as are the security risks. The TeaBot Remote Access Trojan (RAT), which emerged at the beginning of 2021 and designed to steal victim’s credential and SMS messages, remains rife.

Behavioural biometrics is the key to overcoming the challenge of advances in mobile malware.

In the last decade, the use of mobile devices has increased exponentially. There are now approximately 5.3 billion unique mobile phone users worldwide, with more than 90% of them used to access the internet. Around 40 apps are installed on each mobile device, with the total number of apps downloaded expected to exceed 250 billion by the end of the year.

As the number of mobile devices and apps grows, so too does the spread of cyber attacks, with criminals becoming increasingly focused on banking apps. The methods of mobile infiltration have become increasing diverse, complex, and have the capability to be upgraded – the TeaBot Trojan RAT is no different. The now global TeaBot has infiltrated banks, cryptocurrency exchanges and digital insurance providers, causing damage everywhere it’s found. Behavioural biometrics, however, provides the key to minimising its risk.

Social Engineering On Mobile

For the most part, attacks start with sophisticated social engineering attacks to get the user to download the malware onto his or her end device. These Trojans are often come in the form of phishing emails, text messages or fake apps. 

The Trojan then installs itself and enables the hacker to collect information as well as load further malware. Remote access tools (RAT), for example, enable the criminal to gain administrative access of the device and intercept banking app credentials or even one-time passcodes. 

According to our research, 1 in 24 fraud cases involved a RAT attack. HTML overlay attacks are also used to obtain critical data. In most situations, those who use a banking app on their smartphone are unaware of such actions. 

TeaBot: An Attacker's Chronicle

Malware detection traditionally depended on conventional antivirus technologies that search for the name of suspicious files and regularly check apps and their hashes for malware.  These strategies, on the other hand, have continually hit their limits in recent years. This is because, in order to avoid detection by antivirus software, hackers create malware with a constantly changing file name. 

Last year, the TeaBot malware, also known as Anatsa in Germany, made headlines. The developers of the malicious code try to trick their victim into downloading the malware by disguising it as a supposedly harmless app. TeaBot is equipped with RAT functions and is available in several languages. The banking Trojan is spread via malicious apps outside the Play Store - under names such as VLC MediaPlayer, UPS, and DHL. To spread the malware en masse, the hackers use so-called smishing attacks: Their victim receives an SMS with a link to the app and uses it to download the Trojan. Another method of distribution are fake pop-ups through which TeaBot is downloaded and installed, implementing itself as an Android service and runs in the background. This allows it to nestle permanently in the end device without being detected. After downloading, it acquires broad permissions and instantly begins scanning the applications installed on the device. 

The TeaBot trojan effectively takes over the user’s mobile device by remotely control the victim's smartphone. It has the capability to read SMS messages and forward them to the command-and-control server to bypass OTP (one-time password) precautions. It obtains access authorisations to approve notifications and has logging functions, that can disable Google Play Protect and initiates overlay attacks. Teabot does this by loading a specially crafted login page for the target application from the command-and-control server. The phishing page is placed over the banking app. Here, the user's credentials are collected using keylogging and forwarded to the command-and-control server controlled by the hacker. 

TeaBot mainly targets banking and cryptocurrency apps, but the malware also collects information from other installed apps. It is practically impossible for those affected to delete it. And it can cause a lot of financial damage if a criminal gains access to the login and account data and can use them to make transfers. 

 Behavioural Biometrics: Detecting Mobile Malware

One way to detect TeaBot is to use solutions based on behavioural biometrics. With the help of this technology, banks are able to identify whether it is a real user operating the device or whether the device is being controlled by the malware remotely via RAT. One example of how the malware behaves differently to a genuine user is the navigation speed. When in control of the device, fraudsters controlling the device are very familiar with the payment process and execute payments quickly to avoid being detected by the victim. 

Technologies based on behavioural biometrics match the user's behaviour with previous customer sessions to determine consistency and intent. The way a user holds their mobile device is also another indicating factor: in fraudulent sessions, the device may rest on the table for the entire session, while a real user moves around with their smartphone. Touch and swipe patterns can also be analysed and matched. In the case of a RAT attack, no touch areas are usually visible, which indicates that the terminal is being controlled remotely. If swipe movements on the display are detected at a different location than in previous sessions, this indicates that the real user had no control over the device during the session. 

An alert is delivered to the bank's security experts if the technology identifies a number of fraudulent elements in combination based on behavioural biometrics. With behavioural biometrics and machine learning, financial institutions can thus intervene preventively in a fraud attempt before the customer suffers any financial damage.  

Gemma Staite is  Threat Analytics Lead at BioCatch

You Might Also Read:

The Different Types of Malware:

 

« FOR PEN TESTING – CYRIN’s CYBER RANGE
Russia Hacked Ukrainian Satellite Communications »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

aizoOn Technology Consulting

aizoOn Technology Consulting

aizoOn is a technology consulting company offering a range of services including IoT & embedded security, mobile security, cybersecurity assessments, risk & compliance, network monitoring and more.

Global Station for Big Data & Cybersecurity (GSB)

Global Station for Big Data & Cybersecurity (GSB)

GSB is an interdisciplinary research hub to cover big data, information networks, and cybersecurity.

PrivateCore

PrivateCore

We protect data-in-use from hackers trying to steal data such as encryption keys, certificates, intellectual property.

Cyber Resilient Energy Delivery Consortium (CREDC)

Cyber Resilient Energy Delivery Consortium (CREDC)

CREDC performs multidisciplinary R&D in support of the Energy Sector Control Systems Working Group’s Roadmap of resilient Energy Delivery Systems (EDS).

Danish Maritime Cybersecurity Unit

Danish Maritime Cybersecurity Unit

The Danish Maritime Cybersecurity Unit is tasked with delivering the initiatives set out in the Cyber and Information Security Strategy for the Maritime Sector.

CryptoCurrency Certification Consortium (C4)

CryptoCurrency Certification Consortium (C4)

The CryptoCurrency Certification Consortium is a non-profit organization that provides certifications to professionals who perform cryptocurrency-related services.

Enzen

Enzen

Enzen is a global knowledge practice that provides consulting, technology, engineering, operating and innovation services to the energy and utility sectors.

RMC

RMC

RMC was purpose-built for Mission Assurance and ICS/OT cybersecurity, dedicated to strengthening and protecting government and commercial assets.

Cyber Legion

Cyber Legion

Cyber Legion Ltd is a UK-based Cyber Security as a Service (CSaaS) start-up that provides IT security testing services to various organizations around the globe.

TheHive Project

TheHive Project

TheHive Project is a Scalable, Open Source and Free Security Incident Response Platform for SOC, CSIRT and CERT teams.

Redington

Redington

Redington offer products and services in solution areas including digital transformation, hybrid infrastructure and cybersecurity.

Azerbaijan Cybersecurity Center (ACC)

Azerbaijan Cybersecurity Center (ACC)

Azerbaijan Cybersecurity Center is a state-of-the-art facility to deliver advanced cyber training programs and build the next generation of Azerbaijan’s cybersecurity professionals.

Institute for Applied Network Security (IANS)

Institute for Applied Network Security (IANS)

For the security practitioner caught between rapidly evolving threats and demanding executives, IANS Research is a clear-headed resource for decision making and articulating risk.

Staley Technologies

Staley Technologies

Staley Technologies is a US nationwide structured cabling, technology integrator, and Managed IT & Cyber Security provider.

Secur-Serv

Secur-Serv

Secur-Serv is a security-first managed services provider. We provides Managed IT, Managed Print, Managed Device, and Cybersecurity services to companies of every size.

Forthright Technology Partners

Forthright Technology Partners

Forthright Technology Partners (Forthright) is a next-generation cloud and managed IT services provider serving a global clientele.