The FBI has issued a warning to users of mobile banking apps that they may be at increased risk of compromise, as cyber-criminals look to exploit surging use of the technology under lockdown.
The Bureau’s Internet Crime Complaint Center (IC3) public service announcement claimed that industry figures show over three-quarters (75%) of Americans used mobile banking last year, and that usage has soared by 50% since the start of the year.
“With city, state and local governments urging or mandating social distancing, Americans have become more willing to use mobile banking as an alternative to physically visiting branch locations,” it continued.
“The FBI expects cyber-actors to attempt to exploit new mobile banking customers using a variety of techniques, including app-based banking Trojans and fake banking apps.”
Banking Trojans are often hidden inside legitimate-looking apps like games or news readers. They lie hidden on the user’s device until they visit their banking app, at which point they spring into action, often using an overlay to harvest log-ins and trick the bank’s back-end fraud screening.
Other variants pose as banking apps themselves and directly harvest log-in and personal data from the victim.
Kacey Clark, threat researcher at Digital Shadows, argued that fake banking apps can also be used for other malicious ends.
“Banking Trojans can be used as a ‘dropper’ to install malware onto a user’s phone, particularly spyware,” she said.
“Once installed on a device, spyware can remain undetected while managing and accessing everything on a victim’s device including sensitive information such as the target device’s camera and microphone, text messages, passwords, contact lists, stored or typed payment card details and geolocation.”
Chris Hazelton, director of security solutions at Lookout, added that mobile phishing is often used to trick users into downloading these apps from fake websites, or steal log-ins directly. He claimed that 46% of Lookout users encountered a mobile phishing attack in the past three months, up from 33% in the middle of 2019.
“Almost all users use a case to protect their phones from physical threats, but they should also protect the digital side of their smartphones to protect from malicious apps,” Hazelton argued. “They should also install mobile security software to protect their data and identities. Many services are free to use, and can easily be upgraded for even more protections.”
The FBI recommended users only download apps from official app stores and banking websites, use password managers with strong credentials, and if possible switch on two-factor authentication.