Banks versus Mobile Malware
According to their national banking association, the ZBP, Poland has approximately 7 million mobile banking accounts and is expecting the number to rise as the users of 36.5 million internet banking accounts continue to download mobile banking apps.
Cezary Piekarski, Executive Director and Head of Malware Protection at Standard Chartered Polska sits down to discuss the evolutionary development and current pitfalls in mobile malware specific to banking.
Aside from technical failure, malware is the top threat to mobile banking applications and, by proxy, the financial institutions who rely on them. Mobile banking security, which I define as composition of procedures, authentication, authorisation methods, and technical safeguards that are used to make the mobile banking experience secure whilst protecting funds, is a central preoccupation in my department.
The first banking malware was discovered in the early 2000’s, and they have since been persistently evolving across three distinctive areas. The first is malware delivery; the methods and techniques used by criminals to deliver malicious software to mobile devices and traditional desktops. Instead of using established delivery methods such sending malware via email, criminals are attacking software vendors or similar targets that are already trusted by the users. These organizations are then used to deliver the malicious software to the intended target, passing the malicious code as a piece of legitimate software.
The process, called ‘supply-chain attacks’, can be applied to individual customers just like it can be used to infect an entire network. Let me give an example: imagine someone attacking a developer of a popular game that is distributed to mobile devices. With the next update following a successful attack on the vendor, the game will be supplemented with a piece of malicious code to be delivered to the whole user base.
The second area occurs in monetization. In the past we understood malware in its most simplistic form– as a bug intended to damage computers – and in all fairness, we weren’t wrong. The very first waves of viruses were attacks intended to freeze activities.
But when criminals moved into monetization, their speed and evolution of their tactics increased ten-fold. Very little time has passed during the early days of stealing credentials from banking websites in order gain the true client’s ability to transfer funds, to the era of demanding ransoms from victims of encryption attacks in return for access to the affected files.
With technology diversifying our methods and platforms of financial activity, the list of threat options grew. From trojans and fileless malware to exotic hybrids, we are even finding malware created to hijack the computing power of individuals to mine cryptocurrencies. Some threats, like ransomware, hold a sickening level of potential negative impact for its victims. Others, like the aforementioned cryptomining, impact an area far removed.
“malware is the top threat to mobile banking applications and, by proxy, the financial institutions“
The third area of malware evolution is how malware actually functions and how it is designed to avoid detection. The traditional approach to fighting malware threats was to look for distinctive patterns of code, called “signatures”, by scanning all the incoming files in a system.
What malware creators did to get around this was to become polymorphic, in the sense that the malware will change its shape every time it is being executed. The press often reports that two million different malware samples are released every day, but this is just half of the story because the bottom line is that this is the same code that is basically changing its shape – with every release, it is molding itself into something new. This is not a human-driven process, but is a more automated process of evolution.
In response, security companies have directed their efforts into detecting particular behaviours. Instead of looking for a very distinctive piece of code that will allow identification of malicious code, we observe how this code or application “behaves”.
As an example, when you download a PDF, which is something that all of us do almost daily, you expect this file to be displayed in your PDF reader. You would not expect a PDF to launch a web browser and connect to an address in your internal network. This is a very simplified view of how antivirus software detects malicious code these days. Instead of relying on static and defined rules, it observes the behaviour of a code and determines the likelihood of it being malicious.
This is the perfect field for experiments with machine-learning algorithms, because learning behaviours is one of the primary goals of mass-learning (ML) algorithms and, therefore, the security industry is at the brink of a ML learning evolution. What is also quite interesting is that the evolution and adoption of ML technologies can be seen on both sides of the barricade – the security industry adopts an ML algorithm to detect malicious software, while the creators of the malicious software adopt a ML algorithm to avoid being detected.
So, who is most at risk of mobile malware? Those who play a lot of mobile games or are avid users of mobile apps, particularly unauthorized software, are typical targets. Criminals also focus their efforts on the operating systems with the highest return on investment. This means platforms that are the most popular and where its users are more likely to be vulnerable to the strategies deployed by attackers. This doesn’t mean that users of less popular platforms are safe, but they are less exposed to the risk of being attacked.
“two million different malware samples are released every day, but this is just half of the story“
And what is the result of this prevalence of mobile malware? In the case of banks that use mobile devices as a second factor for authorizing of transactions, malware is already a growing problem, because criminals can easily encourage users to provide their banking credentials and because using SMS as a one-time password is still standard in the majority of markets – when criminals have control over the device and SMS, they can easily steal the second factor and authorize a transaction in the name of the user.
With the increasing adoption of alternative authorization methods, some of which use mobile devices, this may change, both in positive and negative ways. In the positive sense, adoption of alternative methods of authorization on the mobile device can make life for criminals much trickier. For example, all authorization methods that depend on biometrics or additional inputs from the user are not so easily intercepted on the mobile device. While there is still some interaction needed from the user, such as a biometric sample, the interception of this mobile communication would be more difficult and could render the efforts of the criminal useless.
In the negative way, what we are seeing already is that, because of how PSD2 impacted the market, some users are more likely to provide their credentials on a third-party website and, therefore, be more vulnerable to phishing or malware scenarios that rely on theft of credentials. But this is the trade-off for the implementation of open banking within the current authentication and authorization schemes used by some banks.