Millions stolen from US and EU banks could’ve been prevented. According to a recent Ars Technica article, “Researchers from IBM Trusteer say they’ve uncovered a massive fraud operation that used a network of mobile device emulators to drain millions of dollars from online bank accounts in a matter of days.
“The scale of the operation was unlike anything the researchers have seen before. In one case, crooks used about 20 emulators to mimic more than 16,000 phones belonging to customers whose mobile bank accounts had been compromised. The thieves then entered usernames and passwords into banking apps running on the emulators and initiated fraudulent money orders that siphoned funds out of the compromised accounts. Emulators are used by legitimate developers and researchers to test how apps run on a variety of different mobile devices.
The article goes on to say, “To bypass protections banks use to block such attacks, the crooks used device identifiers corresponding to each compromised account holder and spoofed GPS locations the device was known to use. The device IDs were likely obtained from the holders’ hacked devices, although in some cases, the fraudsters gave the appearance that they were customers who were accessing their accounts from new phones. The attackers were also able to bypass multi-factor authentication by accessing SMS messages.”
Zimperium protects mobile apps
The reality is, mobile attacks are rampant and increasingly sophisticated today. They cause huge damage to profitability, reputation and brand value. Zimperium, the global leader in mobile device and app security, allows customers to detect and prevent more mobile threats, with the least amount of organizational friction, than any alternative.
Based on what is known about this incident publicly, our Mobile Application Protection Suite (MAPS) platform would have provided real time detection and protections against this type of attack. We would have done so in three ways:
- First, we help developers and security teams reduce risks in their application by integrating our zScan app scanning tool into the software development life cycle (SDLC).
- Second, our zShield obfuscation technology hardens applications from reverse engineering and other techniques that are used by attackers to clone or better understand target applications to mount this type of campaign.
- Third, and finally, our zDefend software development kit (SDK) enables developers to quickly and painlessly embed Zimperium’s leading machine learning-based detection engine, z9, directly inside any mobile app. zDefend would have detected that the app was installed on a compromised device, or emulator, and detected the app tampering or app hooking techniques that were likely used by the attacker to automate their campaign at scale.
With the zDefend SDK embedded, mobile apps can immediately determine if a user’s device is compromised, if the app is running on an emulator, any network attacks are occurring and even if malicious apps are installed. zDefend is completely configurable by app developers, who can select whatever remedial action should apply when a given threat is detected. When a device or the app is under attack, zDefend informs the app and initiates those predetermined risk mitigation actions.
The embedded zDefend provides robust and granular detections and defenses against many risks and threats, including specific events that were likely part of this attack, such as:
- If the application is installed on an emulator.
- If the application is being tampered with or hooked. Typically a key step for attackers trying to reverse an application, or automate fraud at scale.
- A device has malware like BankBot installed, the app can trigger immediate steps to freeze access until the user deletes the BankBot-carrying app and resets their password online.
- A device has been jailbroken by the user, the app can allow the session to continue, but raise the user’s fraud score to account for the additional risk.
- A device has been compromised by an external actor, the app can display a dialog box asking the user to complete their transaction offline.
With these and many more detection capabilities provided by zDefend, customers can initiate proactive remediations and mitigation actions both in the application, and on the back end, with detailed forensics and visibility to prevent this type of fraud and theft from happening in the first place. When combined with zScan and zShield as part of the overall MAPS platform, Zimperium can help customers secure and defend their mobile applications during the entire lifecycle of the application.
To learn more how we can help, please contact us.