'Vishing' attacks exploit older Android systems

Security analysts are urging consumers to update Android mobile phones to protect against a new variant of Android.Fakebank, a Trojan horse designed to steal information from outdated Android operating systems. In a March 15, 2018, blog post, Symantec researchers identified 22 apps from third-party Android markets in Korea. The new strains can intercept and reroute calls made by Korean consumers to their banks and financial institutions. This unprecedented level of sophistication and automation has raised the bar for the security community, noted Symatec bloggers Shaun Aimoto and Martin Zhang.

"When the app is launched, it collects and submits user's personal information to a command and control (C&C) server, and presents its display [spoofing a legitimate bank app]," they wrote. "The server will respond with configuration specifying the phone numbers that will be used in the scam."

Symantec further noted the malware can intercept both incoming and outgoing calls, fooling users who call a legitimate banking phone number, which alerts the malware to intercept and transfer the call to a preconfigured scammer's phone. Alternatively, incoming calls from scammers are masked by a fake user interface overlay and face dialog box that spoofs the legitimate bank caller ID and phone number.

Mobile malware scales

Symantec's March 2018 Internet Security Threat Report, Vol. 23 further highlights growth in mobile malware variants. The report's key findings include the following:

• Mobile malware variants grew by 54 percent from 2016 to 2017.
• An average of 24,000 malicious mobile apps were blocked daily in 2017.

• 27 percent of malicious apps were found in the lifestyle category, followed by 20 percent in music and audio.
• 63 percent of "grayware" apps in 2017 leaked phone numbers; 37 percent revealed geolocation. (Researchers described grayware as not completely malicious but trouble-prone. "With grayware increasing by 20 percent in 2017, this isn't a problem that's going away," they wrote.)
• 77.3 percent of iOS devices had the newest major version installed in 2017, compared with only 20 percent of Android devices running the newest operating system.

"Threats in the mobile space continue to grow year-over-year," Symantec researchers concluded.

Prevent 'vishing'

Frederik Mennes, senior manager for market and security strategy at Vasco Data Security, advised banks to protect against "vishing" (voice phishing) attacks by educating users to fully vet third-party apps before they install them on their mobile phones. Review app privileges, he stated, adding that banks must, at minimum, authenticate transactions with user-generated valid dynamic authentication codes.

"Fraudsters will have trouble convincing the user to generate and provide a valid authentication code for a fraudulent financial transaction, and hence will be stopped before doing any harm," Mennes said. Paul Bischoff, privacy advocate at Comparitech.com, expects the new vishing schemes to go viral in the cybercrime community. He advised consumers to be wary of third-party apps, limit permissions on those they install, and maintain updated Android operating systems. The latest Android release, called Oreo, specifically prevents criminals from spoofing caller IDs, he noted.

Bischoff called out the vishing malware dubbed Fakebank, in particular, and said its model could soon be adopted by malware markets outside of South Korea. He did, however, provide reassurance. "Even though the attack uses a fairly novel approach to scam users, Android owners can avoid it using the same best practices used to avoid any other type of malware," he said.

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.