The rapid escalation of banking malware has become a concern for everyone involved in the financial sector, especially traditional and digital-only banks. Grifthorse, Godfather, and other malicious software have evolved to impersonate and target hundreds of banks, developing sophisticated means to steal credentials and conduct fraud. According to our research, the total number of unique mobile malware samples increased by 51% from 2021 to 2022, with more than 920,000 samples of Dirty RatMilad, MoneyMonger, and Dark Herring detected.
About $8 million was lost in more than 700 malware-related scams reported in Singapore last month. In eight of these scams, CPF savings were involved, resulting in losses of $124,000. The victims were tricked into downloading malware onto their phones, resulting in unauthorized transactions from their bank accounts.
The challenge has prompted many customers and regulatory bodies to search for more practical measures and solutions to secure mobile banking applications.
Banking malware: How does it work?
Today’s banking scams are a complex web of deceit that stretches across multiple platforms and mediums. Crafted with a keen understanding of human psychology, these scams employ highly sophisticated social engineering campaigns that begin with the seemingly innocuous act of distributing phishing links. These can be found within emails, SMS messages, and even disguised as QR codes. What makes these tactics so insidious is how they mimic legitimate banking activity, lulling the user into a false sense of security.
Upon clicking on the provided URL or scanning the QR code, a user is redirected to a fake banking page that appears genuine. The deception continues as the page persuades the user to download and install what is presented as a companion app but is, in reality, malicious software or malware. The app then scans the phone, identifying the banking apps that are present, and downloads the necessary assets from a command and control server to further imitate that particular bank.
From this point on, the malware performs a sinister dance each time the end-user opens their real banking app. It seamlessly overlays the login screen, capturing the user’s credentials and One-Time Password (OTP), and then redirects the user to the legitimate app, all without the user suspecting that anything is amiss. Upon taking over the account, other malware capabilities like remote control and screen sharing help intercept and authorize transactions to move money out of the account without triggering alarms.
If the end-user’s device hosts multiple banking apps, the malware continues its deception with each one until it succeeds.
How are banks responding to the threat
Threats from malware are relentless and rapidly evolving. Malicious actors are sharing malware code more often and creating new, more capable malware variants. In order to steal account credentials, ‘CypherRat‘ combined SpyNote’s spying capabilities with banking trojan features such as remote access, GPS tracking, and device status and activity updates.
In order to keep up, banks are adding new security features to their mobile applications to detect malware behaviors. Under these new security protocols, users are temporarily blocked from using the app if suspicious apps are found on their phones. Bank customers who wish to access their bank accounts face not only inconveniences, but also privacy concerns due to the way these protocols function.
But the banking malware problem is multifaceted. We cannot merely label an app as malware based on individual features, permissions, or source, as legitimate apps often have the same individual characteristics. Moreover, malware authors are shrewd. Once they discern what security tools to target, they craft new permissions or capabilities to evade detection. There is no single feature that can determine whether an app is malicious and poses a risk to banking apps.
How regulators are evolving to secure mobile banking
Regulatory bodies globally, responding to an increase in malware-related scams, are mandating various security measures for standard and digital- only banks. Here are a few key examples:
Monetary Authority of Singapore (MAS)
Over 150 deposit-taking institutions are regulated and supervised by the Monetary Authority of Singapore (MAS), including full banks, wholesale banks, merchant banks, and finance companies. MAS issues a revised Technology and Risk Management Guidelines in 2021 that specified security requirements that should be considered to secure mobile banking applications.
Reserve Bank of India
In its Master Direction on Digital Payment Security Controls, the Reserve Bank of India (RBI) provides security guidance for regulated entities planning to offer mobile banking and mobile payments services to their customers.
Reserve Bank of Malaysia
The Reserve Bank of Malaysia published Risk Management in Technology (RMiT) that sets out the Bank’s requirements with regard to financial institutions’ management of technology risk. It specifies the control measures on mobile applications and devices.
The Threat is Evolving – So Must Our Defenses
The fundamental question is: Can the mobile banking app recognize a threat to its integrity, whether from the device itself, the network connection, or malware that inhabits the same space?
Enter “adaptive runtime security,” a proactive and responsive approach that can make mobile banking apps self-defending. Unlike static measures, adaptive security resembles an autonomic biological immune system, continuously adjusting to the ever-changing threat landscape.
Introducing Zimperium zDefend™
Over 85 global banks trust Zimperium to secure their mobile devices and apps, making this a solution for our modern world.
Zimperium’s Runtime Application Self-Protection (zDefend) provides a robust and regulatory-grade solution to these challenges. zDefend is a comprehensive in-app protection solution. It combines machine learning, deterministic techniques and behavioral techniques to provide comprehensive on-device visibility into and protection against devices, networks, malware, and phishing attacks.
When embedded in a mobile application, in-app security acts like a biological immune system that protects the app from known and unknown threats on the device.
This real-time visibility and protection is achieved through an SDK integrated into the host mobile application.
In most cases, mobile app teams do not have visibility into threats across their entire mobile application installation base at runtime. The solution allows App Dev and SOC teams to continuously monitor the entire install base and be alerted when abuse is attempted. When appdev and appsec teams have visibility into real and relevant threats, they can perform meaningful threat modeling and make good decisions about what to secure and what to recommend for residual risks.
The SDK leverages Zimperium’s patented dynamic on-device detection engine (z9), which is unparalleled in detecting malware. In an independent AV test, the solution detected over 99% of online and offline malware.
The protection is provided by on-device actions mapped to specific threats. There are out-of-the-box actions such as blocking app usage, redirecting to a URL, etc., but developers can also create custom actions. When configured properly, the actions allow app teams to choose between disabling just the high-risk features rather than completely blocking the app when a side-loaded malware is detected on the device. As a result of this practical approach to security, the end-user experience is also great.
Unlike other solutions these in-app detections and protections can be updated over-the-air. The SDK automatically keeps its detection capabilities up-to-date. A centralized console allows the actions to be changed and propagated in real-time without needing to release a new application.
Zimperium’s zDefend is embedded directly into mobile banking apps, enabling them to recognize untrusted environments and protect against fraudulent activity without completely blocking users from using the app.
zDefend is part of the Mobile Application Protection Suite (MAPS) in the Zimperium Mobile-First Security Platform™. MAPS helps enterprises build safe and secure mobile apps resistant to attacks. It is the only unified solution that combines comprehensive app protection with centralized threat visibility.
Conclusion: A Future-Proof Approach
Security for mobile banking applications must be as dynamic and intelligent as the threats it seeks to combat. With solutions like Zimperium zDefend, we can build a mobile banking application that’s not just reactive to the current threats but prepared for those we have yet to encounter.
Adaptive security represents not only the present necessity but the future of mobile banking security. By integrating these advanced security measures, we fortify our defenses, protect users’ privacy, and foster trust within the entire financial ecosystem.
In a world where banking malware is continually adapting and finding new vulnerabilities, the time for complacency has passed. Adaptive security is no longer a futuristic concept; it is a present-day requirement, a proven approach, and the path forward. It’s time to make our banking apps not just smarter but safer.