There’s a RAT in Your Mobile

Written by

Mobile banking and mobile payments are becoming the method of choice for users wishing to bank online. Nearly two-thirds of Americans own a smart phone, and that number is only expected to rise exponentially in the coming years. Mobile phones have increasingly become tools that consumers rely on for a range of financial activities, such as payments, budgeting, and shopping.

According to KPMG's Global Mobile Banking Report and UBS Evidence Labs, the number of mobile banking users globally is forecast to double to 1.8 billion over the next four years, representing over 25% of the world's population.

Banks have been the target of hackers since computers were first introduced to process and store financial transactions. Tapping into banking systems allows cyber-criminals to capture personal information and submit fraudulent transactions.

Therefore, it is no surprise that financial services organizations are 300% more likely to be attacked than any other business, according to a recent report released by Websense Security Labs. Hackers shift their focus on systems that manage the flow of money and information. The move to mobile banking and mobile payments will inevitably result in an onslaught of attacks on these platforms.

From e-Commerce to m-Commerce

Cyber-criminals are rushing into the mobile space, posing a significant threat to both the banking and e-commerce industries. At the forefront of this wave of attacks are Remote Access Trojans (RATs) – a traditional favorite among cyber-criminals. This form of malware has become incredibly popular among fraudsters targeting the financial industry, as they can access user devices remotely to steal personal information and make fraudulent transactions.

The past year, in particular, has seen a rise in the use of RAT access technology to perpetrate online banking fraud using financial malware like Dyre, Dridex and Neverquest. With these variants of RATs, known as RAT-in-the-Browser (RitB), hackers have been able to access user browsers, login to user accounts and submit fraudulent transactions. When fraudsters deploy RitB, banks have a more difficult time detecting fraudulent activity, as sessions can continue to look normal without raising red flags – the device is trusted, there is a known IP address, and there are no signs of automated scripts.

Some fraudsters have dispensed with developing or purchasing RAT malware in-the-wild to perpetrate fraud. Instead, they now social engineer bank users to install standard remote access support tools such as TeamViewer, LogMeIn and Ammyy and use those tools to perpetrate “social RitB” attacks.

Mobile Payments - the New Frontline

These same RAT tactics are now migrating to the mobile space. New generation malware in the wild, such as OmniRAT, have introduced support for remote access on mobile devices. The new RAT tools also include new mobile centric infection technologies such as specially crafted MMS messages that enable mass infections of mobile devices. In a recent vulnerability detected by BioCatch in a major mobile payment app, it was found that this app (like many other similar apps) can’t detect that it is being managed remotely and allows a remote user to operate the application and transfer money.

Moreover, users that set the default “remember me on the phone” are at further risk, since the remote user is not even prompted for authentication (i.e. no need to know the user or password). These types of attacks are still not common place since most mobile applications do not allow risky activities such as transferring large amounts of money to new payees.

Most banks still do not allow users to add new payees on the mobile app, only on the PC browser. However, all banks have plans to introduce these features realizing that customers are demanding to be able to transact via their mobile device. Once these features are introduced it should be expected that “RAT-in-the-Mobile” attacks will be the new “game” in town.

How to be Mobile-Responsible?

Mobile shoppers and bankers can take some of this responsibility into their own hands by educating themselves on this topic, staying updated on mobile breaches and following some of the guidelines below in order to prevent the next fraud:

1.       First and foremost, only download apps from trusted app stores.

2.       Do not respond to unsolicited messages or notifications that encourage the download of a mobile app. Use common sense - is someone trying to trick you into downloading something that you don't really want?

3.       Be very cautious when downloading apps that your friends recommend to you via SMS, email, a Facebook post, etc. Your friend's social media or email account may have been compromised and used to send unsolicited emails to all contacts, tricking them to download a rogue mobile application. It is best to ask friends if they’ve really recommended the app.

4.       If you download an application, check to see what permissions are granted to it. If it's not a major application from a developer that you trust, there's a chance that it may feature hidden back doors, malicious content or remote access capabilities. While checks are made by the app stores to try to find these, such checks are never airtight. In these cases the app will ask for many permissions, including accessing personal details. If you see an app requesting too many things, be cautious.

5.       Many financial, peer-to-peer and other apps that store personal details offer two-factor or two-step authentication. Try to use this, as it protects you from hackers that may steal or guess your password.

6.       Update apps regularly. Many app updates, as well as operating system updates, fix new security issues.

7.       Jailbreaking/rooting of mobile phones weaken their security dramatically. Just bear that in mind.

8.       If you install a remote access application such as TeamViewer or LogmeIn to control your device remotely, make sure to keep your password safe and use two-factor authentication. If someone asks you to grant him or her remote access, don't. Social engineering scammers pose as help desks of legitimate companies and trick users to install remote access apps so they can steal money from your mobile banking or payment applications.

As the number of mobile transactions continues to multiply by the millions, so will the number of mobile attacks. To keep the public secure, education and regulation should play as effective safeguards.

What’s hot on Infosecurity Magazine?