Android Trojan attacks SMS smartphone bank security

SpyEye and Tatanga find way around PIN verification

Security company Trusteer is warning about an Android Trojan that is being distributed by criminals to beat the SMS smartphone authentication systems employed by European banks to verify money transfers.

Man-in-the middle (MitM) attacks on 2FA technology via mobiles started around a year ago based on the simple observation that the apparent strength of SMS verification is also its weakness if hackers are able to compromise the handset itself.

The SMS one-time passcode or transaction PIN looks like a way of shutting out online bank fraudsters who have gained access to a user's online account so criminals have devoted time to working out how to intercept that code.

Trusteer has now seen the first mobile attacks based on the recent 'Tatanga' Trojan, as well as new configurations of the infamous SpyEye Trojan it has named 'SPITMO' (SpyEye in the mobile).

Users infected by the Windows Trojan are asked for their mobile numbers before being directed to a website that installs what is claimed to be a mobile security application. Once they have entered an 'activation code' - actually just a way for the attackers to know the mobile is live - the attackers are free to capture any traffic sent to that device.

The mechanics of the attack vary by country and that is perhaps the biggest feature of this attack - it targets a range of major European online banks, particularly those in Spain and Germany.

"Once fraudsters have infected a victim's web and mobile endpoints, very few security mechanisms can prevent fraud from occurring," said Trusteer CTO, Amit Klein, whose company offers in-browser tools that specialise in blocking such attacks.Where are the attacks based? Perhaps China or the US, both countries from which the fake websites were registered but nobody can be sure.

"This discovery confirms that Man-in-the-Mobile attacks are focusing primarily on Android devices. Multiple studies show that Android devices account for more than 60 percent of smartphone market in the targeted countries," he said.

"Android popularity and the relative ease of developing and distributing Android applications are probably the reasons why Cybercriminals have singled out this particular platform for mobile malware attacks. "

The attack is really about finding a way around the two-factor authentication systems that are starting to become common on many online banking systems, including those accessed via mobiles. Given the relative simplicity of the social engineering involved this now looks like a serious avenue of attack.

"With nearly 60 percent of the market and a reputation for weak app security, it's no surprise that Android has become the preferred target for financial malware," emphasised Klein.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place