Welcome back to the next installment in our ongoing series on National Cybersecurity Awareness Month (recognized every October).
In previous articles, we covered:
- Cybersecurity habits to incorporate in your life right away.
- Cybersecurity careers worth exploring today and tomorrow.
In this post, we’ll discuss one of the biggest threats affecting mobile banking — Trojan malware that cybercriminals use to steal financial data.
Like most cybersecurity threats, mobile banking Trojans are a relatively recent trend. After all, smartphone technology is barely 10 years old, and mobile banking is even younger.
According to cybersecurity and virus protection firm McAfee, mobile malware attacks continue to grow 42% annually. Although there are many types of mobile banking Trojans, below are the four biggest threats that concern cybersecurity professionals the most.
1. Roaming Mantis
Also known as the MoqHao Trojan, Roaming Mantis attacks rely on DNS hijacking. Unsuspecting users try to visit legitimate websites on their mobile devices, but they are redirected to malicious ones that ultimately steal their financial data.
The hack usually begins with a compromised Wi-Fi connection that prompts users to download the “newest” version of their respective bank’s mobile app.
Once a malicious app is installed on a user’s phone, stealing his or her payment information is relatively simple.
Although MoqHao’s impact is mostly limited to Asian countries, 6,000 reported cases have already surfaced worldwide.
The LokiBot Trojan uses a slightly different strategy. It takes over existing apps by displaying an overlay screen. A user thinks he or she is using his or her bank’s mobile app. In reality, that user is inputting his or her username and password into a fake login page.
To make matters worse, trying to disable, block, or scan LokiBot triggers a ransomware attack that holds the individual’s phone hostage until he or she pays.
Although there are only 2,000 reported instances of LokiBot, this Trojan targets over 100 banking and communication apps. Thus, the number of attacks is likely to grow.
Faketoken also uses a fake overlay to trick people into supplying sensitive payment information when using banking apps and virtual wallets. What makes Faketoken unique is that it can also monitor incoming text messages and phone calls — allowing it to intercept the SMS codes that banks often send for two-factor authentication (2FA).
The exact scope of this threat is difficult to fully assess. According to some reports, Faketoken already has overlays for nearly 2,000 banking and payment apps worldwide.
The Marcher Trojan is simply a modified phishing attack that indirectly targets mobile phones. It works by sending fake emails to users who are redirected to equally fake versions of legitimate online banks.
Users are invited to supply their login information once they arrive — which allows criminals to gain entry to their bank accounts. However, users are also encouraged to download the “latest” versions of their banks’ mobile apps. This creates another entry point for cybercriminals.
Close to 20,000 Marcher attacks have been reported worldwide.
How to Protect Yourself From Mobile Banking Trojans
Combating this growing trend involves adopting many of the best practices we’ve covered in previous articles, including:
- Using strong, alphanumeric passwords for every website you visit
- Enabling multifactor authentication for every account you access
- Avoiding unsecured Wi-Fi networks at airports, cafes, and restaurants
- Not clicking on email links — even when you trust the sender(s)
However, it’s difficult to avoid these threats entirely, since some malicious apps travel through legitimate channels — such as Google Play and iTunes.
This is why the onus is also on financial institutions to make the mobile banking experience more secure for their users. For example, banks could require multifactor authentication, long passwords, and frequent password changes. They could also set up automatic alerts that notify users whenever activity happens on their respective accounts.
Again, mandatory changes like these wouldn’t stop every attack. There are simply too many vulnerabilities to plug. Worse still, new Trojans seemingly crop up every day — from Svpeng to Asacub to Acecard to XcodeGhost.
Moving forward, navigating this landscape will become harder and more perilous as mobile banking technology continues to mature. However, the tips outlined above represent low-hanging fruit that can hopefully shield you from the worst of it.