CEM REPORT | With digitalisation taking center stage in the world today, cyber-attacks and crime has risen at an alarming rate. One method that has proven productivity is pishing apps placed on legitimate app store.
These apps created and laced with trojans that swing into action at the launch of a legitimate banking or financial app. These mobile banking trojans which are usually embedded into popular productivity tools and games deceive users by displaying a fake login page over authentic pages to gain access to account credentials.
These apps bearing malware commonly found on the Google Play Store, Android’s official app store, also keeps track of notifications to get the OTP and are also capable of abusing Accessibility services to do on-device financial fraud.
This is according to a Zimperium study on an overview of the Android ecosystem in the first quarter of 2021, reported by Bleeping Computer.
According to the report each of these trojans has assumed a unique spot in the market by how many organizations they target as well as functionality that differentiate them from the rest.
The report added that ten most prolific Android mobile banking trojans target 639 financial applications that collectively have over one billion downloads on the Google Play Store.
The study reveals that the United States tops the list of the most targeted countries having 121 targeted apps. The United Kingdom follows with 55 apps, Italy with 43, Turkey with 34, Australia counts 33, and France has 31.
Although the study didn’t include African countries, Nigeria has been experiencing more cyber-attacks than usual since it started fueling the fire of digitalization and cashless economy.
With people loosing millions to bank account hacks and government and bank servers allegedly hacked, Nigeria is not far from the study results.
From the research pool of the study, the trojan that targets the most applications is Teabot, covering 410 out of 639 of those tracked, while Exobot also targets a sizable pool of 324 applications.
[READ ALSO] Customers Lose Millions to Fraudulent Bank Activities
The targeted application with the most downloads is PhonePe, which is very popular in India, having 100 million downloads from the Play Store.
Binance, the popular cryptocurrency exchange app, counts 50M downloads. Cash App, a US and UK-covering mobile payment service also popular in Nigeria, has 50 million installations via the Play Store. Both of these are target of several banking trojans.
The most widely targeted application is BBVA, a global online banking portal with tens of millions of downloads. This app is targeted by seven out of the ten most active banking trojans.
The most prolific banking trojans in the first quarter of this year, according to Zimperium, are the following.
BianLian – Targets Binance, BBVA, and a range of Turkish apps. A new version of the trojan discovered in April 2022 features photoTAN bypassing, which is considered a strong authentication method in online banking.
Exobot – Targets PayPal, Binance, Cash App, Barclays, BBVA, and CaixaBank. It’s very small and light because it uses shared system libraries and fetches overlays from the C2 only when needed.
Sharkbot – Targets Binance, BBVA, and Coinbase. It features a rich set of detection evasion and anti-deletion capabilities, as well as strong C2 communication encryption.
Teabot – Targets PhonePe, Binance, Barclays, Crypto.com, Postepay, Bank of America, Capital One, Citi Mobile, and Coinbase. It features a special keylogger for each app, and loads it when the user launches it.
Cabassous – Targets Barclays, CommBank, Halifax, Lloys, and Santander . Uses domain generation algorithm (DGA) to evade detection and takedowns.
Coper – Targets BBVA, Caixa Bank, CommBank, and Santander. It actively monitors device battery optimization “allowlist” and modifies it to exempt itself from restrictions.
EventBot – Targets Barclays, Intensa, BancoPosta, and various other Italian apps. It hides as Microsoft Word or Adobe Flash, and can download new malware modules from remote sources.
FluBot – Targeted BBVA, Caixa, Santander, and various other Spanish apps. The botnet trojan was notorious for its rapid distribution using SMS and contact lists of compromised devices.
Medusa – Targets BBVA, CaixaBank, Ziraat, and a range of Turkish bank apps. It can perform on-device fraud by abusing the accessibility service to act as a normal user on the victim’s behalf.
Xenomorph – Targets BBVA and various EU-based bank apps. It can also serve as a dropper to fetch additional malware on the compromised device.
As it becomes clear from the above, each of the ten most prolific banking trojans maintains its own relatively narrow targeting scope, so the ecosystem is balanced and the operatives can pick the tool that matches their target audience.
The report states that the best way to beat these banking trojans is to ensure your device is up to date. Although these apps can be found on official app store, checking reviews I’ll go a long way in helping, but most vital is to keep the number of installed apps on your device at a minimum.
