Mobile Banking Trojans: A Top-10 Threat for the First Time

In 2015, for the first time ever, mobile financial threats ranked among the top ten malicious programs designed to steal money.

That finding, from Kaspersky Lab’s recap of the year in security, is perhaps somewhat expected given the ubiquity of mobile devices.

“This year, cybercriminals focused time and resources in developing malicious financial programs for mobile devices,” said Yury Namestnikov, senior security researcher at Global Research and Analysis Team, Kaspersky Lab. “This is not surprising as millions of people worldwide now use their smartphone to pay for services and goods. Based on current trends, we can assume that next year, mobile banking malware will account for an even greater share.”

Two families of mobile banking trojans, Faketoken and Marcher, cracked the list. The Faketoken family works in partnership with computer Trojans: A user is manipulated to install an application on their smartphone, which is actually a trojan that intercepts the one-time confirmation code (mTAN). Meanwhile, the malicious programs belonging to the Marcher family then steal payment details from Android devices. It tracks the launch of just two apps after infecting a device—the mobile banking app of a European bank and Google Play. If the user starts either of these apps, Marcher displays a false window requesting credit card details which then are sent to the cyber-criminals.

In 2015, traditional financial cybercrime hasn't declined, however: In total, Kaspersky Lab solutions blocked almost two million (1,966,324) attempts to launch malware capable of stealing money via online banking on computers, an increase of 2.8% from 2014 (1,910,520).

Beyond the banking trojan findings, the Kaspersky Lab Security Bulletin Overall Statistics Report for 2015 also detailed the trends of cybercriminals switching from malware attacks to the aggressive distribution of adware, an increase in the proportion of relatively simple programs used in mass attacks, and attackers mastering non-Windows platforms like Android and Linux.

For instance, one in six (17%) ransomware attacks now involves an Android device, barely a year after the platform was first targeted. And, ransomware programs were detected on 753,684 computers of unique users; 179,209 computers were targeted by encryption ransomware specifically, which is an increase 48.3% compared to 2014. Second, in many cases the encryptors are becoming multi-module and include functionality designed to steal data from victim computers.

Also, the report found that more than a third (34.2%) of user computers were subjected to at least one web attack over the year; a quarter of those (24%) were carried out using malicious web resources located in the US.

Kaspersky Lab also observed new techniques for masking exploits, shellcodes and payloads to make the detection of infections and analysis of malicious code more difficult. Specifically, cybercriminals used the Diffie-Hellman encryption protocol and concealed exploit packs in Flash objects.

Cyber-criminals also made active use of Tor anonymization technology to hide command servers, and used Bitcoins for making transactions.

And finally, the report detailed geographic trends. About 80% of attack notifications blocked by antivirus components were received from online resources located in 10 countries. The top three countries where online resources were seeded with malware remained unchanged from the previous year: the United States (24.2%), Germany (13%), and the Netherlands (10.7%). This rating demonstrates that cyber-criminals prefer to operate and use hosting services in different countries where the hosting market is well-developed.

Photo © Wunson

What’s Hot on Infosecurity Magazine?