Next Big Mobile Security Threat: Look-Alike Banking Apps

Mobile banking is now a way of life for the connected people. It also presents a lucrative opportunity for criminals to commit fraud. One of the easiest ways to breach into a victim’s portal is through malware and apps which require excessive permissions.

According to a report by RiskIQ criminals are using look-a-like banking apps to distribute malware and capture data on the device in order to commit crimes. The company found that more than 40,000 (or 11 per cent) of the 350,000 apps which reference banking in the world’s top 90 app stores contain malware or suspicious binaries.

Of the more than 40,000 mobile apps listed in the report as suspicious:

• 21,076 contained adware
• 20,000 contained Trojan malware
• 3,823 contained spyware
• 209 contained exploit code

178 contained malicious JavaScript

Ajay Khubchandani, Senior IT Security Expert, ESS Distribution Pvt Ltd (official distributor of ESET products in India) predicts that attacks on online payment systems and net-banking will increase as it is widely used by people and businesses for managing their finances.

“As the usage of virtualization by home users and SMEs increase, the attacks on them increase too. Various service networks for web performance, optimization, analytics, personalization, etc. will be increasingly targeted via both sophisticated attacks (i.e. code injection of specific customers) and unsophisticated attacks (DDoS),” he further added.

The Best Defence

The best way to tackle these issues is to apply a layered approach by implementing different techniques within each layer. Here are some of the key steps you can take to strengthen app security using currently available technology.

App in Stealth Mode

Deter attacks by making it difficult for attackers to understand the app workflows. This can be achieved through implementing reverse engineering resistance using data obfuscation (Hiding original data with random characters, and anti-debugging capabilities.)

Always make sure that the apps don’t run on smartphone emulators by using strong device binding/fingerprinting resistant to spoofing.

Open source OS like Android can easily be breached so it’s always better to create your own security libraries, which avoids being exposed to standard OS vulnerabilities that are often easily available and promoted within the public domain.

Data Protection

Don’t rely on standard Android or iOS mobile software development kits (SDK) to safeguard your app data and always use alternative proprietary secure storage based on data obfuscation. When a Secure Element is not available, the security library should store the most sensitive data, e.g. encryption keys, in non-obvious locations and enable the location to be changed regularly.

Secure your Communication Channels

Use ‘certificate pinning’ to protect communications. This checks a server’s certificate against trusted validation data to confirm the source is safe. A copy of this certificate is then ‘bundled with the app’ to provide stronger authentication in the future. Additional protocols can also be used to improve resistance against man-in-the-middle attacks.

Attack Detection

Use anti-malware and sentinels built into the app to enable attack detection and defensive reaction. This method can be used as a two-line defence, where the app can either react immediately or harvest data about the attack before enforcing its defences at a seemingly random point.

According to Sethu S Raman, Chief Risk Officer, Mphasis, “Cyber-attacks are pretty different from that of the physical world attacks. Many times we may not know our enemies and where are they based. In a recent case, the forensic team found that he was one amongst us but perpetrating these activities. It is not simply installing some anti-virus, or putting some spam filters and few other security software which generally is a trend in corporates. There has to be a thought out Security Strategy which is aligned with the corporate strategy and the IT strategy of the company. A proper risk assessment of the information assets of the organization should be done which should dictate the development of a comprehensive security architecture.”

Man-in-the-middle Attack

Last year a serious security flaw affecting approximately 1,500 iOS apps was detected. This made them vulnerable to hackers looking to swipe passwords, bank account info and other sensitive data, according to a report by security analytics firm SourceDNA.

App store needs to be Secure

The problem with distributing apps through vendor and third party stores is that there are different levels of security offered to developers who distribute their apps through these venues. Some app store operations are highly secure and demand that developers meet rigorous standards before their apps can be offered, while others’ standards are less stringent. The result is that app stores are susceptible to a variety of security and related problems, such as the distribution of copycat apps and malware distribution. Also, some applications are vulnerable to a variety of security problems as they are not well written.

The fragmentation in the Android space, which is significantly greater than iOS, contributes to the mobile malware problem because cybercriminals can impact a large proportion of Android users who are using older and less secure versions of the operating system.

To Conclude…

Every organization that distributes mobile apps via app stores should implement a robust mobile app security solution to protect their brands, trademarks and other intellectual property. Adhering to security best practices, such as keeping away from untrustworthy apps and app sources, will reduce the risks considerably.