Back in April of 2017, researchers discovered a new form of Android-targeting malware using fake overlay screens to mimic existing banking apps and steal user credentials. Distributed as benign apps in Google Play, BankBot-infected apps were posing as 20 entertainment and mobile banking apps. This first version of BankBot targeted a small number of institutions.
In October of 2017, fear widened as BankBot variants crept into over 150 banks in 27 different countries. Security pros started wondering when, rather than if, the BankBot-type approaches would spread worldwide.
While there are some regional variations (for example those targeting banks in the GCC region), BankBot is fundamentally a mobile phishing attack. Once it is installed and running on the device, BankBot phishes user credentials by:
- Checking the package information of apps installed on the device for one of the targeted bank apps.
- If one is found, BankBot connects to its C&C server, uploads the target’s package name and label and sends a URL for the library that contains files used for the overlay webpage.
- BankBot monitors the device for the launch of any target bank app. The malware displays the overlay page on top of the legitimate app when the app runs.
- The overlay tricks the user into believing they are using the legitimate app, and phishes / steals the user’s credentials.
That Didn’t Take Long…
It appears those security folks did not have to wait long. There is now an additional set of banking Trojans. The trojans are now targeting a number of Polish banks. According to the research, these variants were disguised as seemingly legitimate apps “Crypto Monitor”, a cryptocurrency price tracking app, and “StorySaver”, a third-party tool for downloading stories from Instagram. They also used the same approach of displaying fake notifications and login forms from legitimate institutions and phishing user credentials on the overlay forms.
They are like BankBot.
What’s Next? If You Are A Bank, YOU Are.
This reminds me of the early 2000’s when phishing sites mimicked brands we trusted. There were two clear facts about those attacks:
- Consumers were not security professionals. They trusted brands like their favorite banks. They left security to the trusted institution to either provide protection or make the customer whole.
- Once the attackers honed their approach and business model, the perpetrators (“phisherman”) added new trusted brands into their attacks.
It doesn’t take much expertise or clairvoyance to see what is going to happen next in the BankBot story. The first 20 were a test. The test then expanded to another 150 banking apps and more countries. The most recent is Poland. There is little doubt in my mind that the new mobile “phishermen” are expanding. They will soon attempt to exploit mobile consumers of hundreds of banks in Europe, Asia and the United States.
Just like they did when they set up phishing sites back in the mid 2000’s.
What Can I Do About It?
Zimperium’s core machine learning engine, z9, has a proven track record of detecting zero-day exploits. We recently announced an extension of the framework that detects previously unknown mobile malware. This extension is known as “z9 for Mobile Malware”, and it was officially announced in September 2017. z9 detects BankBot, and its variations, on-device in real-time.
In one of its implementation options, z9 can be deployed inside zIAP™: an In-App Protection SDK that delivers self-protecting apps. Embedded in an app that is attacked by malware including BankBot, zIAP detects such threats and can immediately terminate the session and/or flag the account for high fraud risk.