Potential upcoming trojan attacks targeting banking apps in Southeast Asia and ways to prevent such risks.

Written by Azlan Yeng Khalid, SecIron

There’s no denying the fact that humans are increasingly dependent on the digital world as we have seen with the huge surge in user onboardings for eCommerce services, logistics, banking and more during the Pandemic lockdown periods. This incredible phenomenon has also exacerbated the increase in cyber-attacks throughout the world primarily across the Financial Services Industries (FSI), as cyber criminals jump in on the huge opportunity presented to them. In addition to security breaches and data loss, cyber criminals have managed to perform ransomware attacks and steal funds from different financial organizations and individuals worldwide.?

The invention of the mobile application has enabled users to do more with less and businesses have gained a new marketing avenue to interact with their customers, allowing them to become more innovative in the way they do business. The way applications are developed and used has changed drastically over the years, especially with the introduction of hybrid mobile applications (Android, 2013). Mobile application development is now a massive industry that is worth billions of dollars and it continues to grow with every passing year.

Like many other platforms, mobile apps are also vulnerable to breaches and there are many known cases like data breach attempts, hacking of passwords and identity theft that are caused by tampered mobile apps. Like many other sectors who have benefitted from the boom of mobile applications like Education, Logistics, SAP and more, the Banking sector is one major area where the use of information technology has given miraculous results. In this article, we share the most common Trojan Viruses that are mentioned across the net that have caused continuous threats to the Banking sector over the last couple of years.

The following are known potential Trojans that may terrorize the banking sector across Southeast Asia and APAC countries:

BRATA

The BRATA malware, or Brazil Remote Access Tool, was a spyware that was first discovered in Brazil back in 2019. This particular Trojan has infected thousands of banking customers across Latin America, the European nations such as Italy and Spain, and most recently in a report posted on 24 January 2022, fraud-fighting firm Cleafy said BRATA is now targeting the UK and Poland and may be setting its sights on China and possibly Southeast Asia. It has the ability to record keystrokes, track device locations, and perform a factory reset on the targeted device.

Vultur

The Vultur remote access trojan (RAT) is a malware which steals financial and banking data on the compromised device and has the potential to do much more. First detected by analysts at ThreatFabric last March 2021, the Vultur remote access trojan malware uses keylogging and screen recording as its primary tactic for banking-data theft, enabling threat actors to automate the process of harvesting credentials at scale. It has been primarily utilized for harvesting of login credentials from more than 100 banking and cryptocurrency applications, affecting thousands of devices.

BoTShark

Bot shark is a botnet malware which can exploit new attack vectors by being part of a network. Existing intrusion detection systems look unlikely to be effective against BotShark. It is independent of deep packet inspection techniques. It is very difficult to detect by normal antiviruses.

Emotet

This Trojan spreads through spam emails. It is thus also referred to as Malspam. A malicious script is attached with the email or hosted on some URL that the email contains. The email in general looks familiar to the recipient, thus it becomes extremely hard to detect if it is a malspam or not. Emotet is very smart and powered with AI to prevent detection. Until now, this Trojan has hi individuals, businesses and even government entities across US and EU to steal banking information.

TrickBot

In simple words, Trickbot was originally designed as a bank robbery app. In reality, it is designed as a modular malware enterprise with excellent persistence capabilities. It is also spread via malspam.? The major attack vector, as researchers have found out, is that the malspam includes a macro-enabled and macro-laden MS office document. When the user downloads and opens up this document, a script is executed for the Trojan’s download and persistence.

PixStealer

It is also a banking Trojan that targets the Pix payment system in Androids. This malware abuses Android’s Accessibility Service. It has been distributed by Google Play as a disguise.? The aim of this app is to steal money. The app PixStealer is used to run this Trojan and make sure it passes the multi-factor authentication method. It takes care of the identity clarification to the bank and thus gains trust to transfer the amount from one account to another.

Ramnit

Ramnit is an old Trojan that was initially designed for Windows systems. It was originally detected back in 2011 and after 4 years, the Trojan was dismantled by Symantec in 2015. However, Ramnit has been one of the top active banking Trojan for 2021. Primarily targeting consumers, this malware was designed to take over online accounts and steal users credit card information. In use since 2010, it has affected thousands of machines, particularly machines operating financial operations and transactions. It has caused a lot of financial damage with unauthorized money transactions. It is distributed on peer-to-peer networks. According to IBM X-Force threat intelligence, Ramnit’s source code remains the property of those who operate and utilize the tool, and the threat will continue to be active as we move into 2022.

Agent Tesla

Modern Trojans are mostly considered the newer versions of some old viruses. The old RAT virus has now formally taken the shape of Agent Tesla. During the covid-19 pandemic, many new variants of this Trojan emerged. In essence, the Trojan is a keylogger and information stealer. The primary delivery mechanism of this Trojan is email, especially phishing emails. Attackers practice social engineering norms to get their hands on the targets’ sensitive information.

XMRig

XMRig is another threat that is posed by cyber criminals to the average internet user. XMRig is a miner that is used to generate money at the cost of users who use computers to carry out mining tasks for the cryptocurrency Monero. The main goal of this virus is to make the machine non-functional. This is performed with overheating of the machine and poor performance. The idea is to take up CPU resources away from the user and cause a computer crash.

Remcos

This Trojan has been in demand by cyber criminals especially in the COVID -19 days. Remcos is a RAT that is able to take control of systems via a remote operation. This Trojan is available for Windows users and has the capability to record keystrokes, take screenshots and send them to hosted servers. It has the feature to stay hidden from Antivirus or Windows Defender. Generally, it is spread through malicious emails.

FluBot

FluBot has emerged as a Trojan that has the capability to scan sensitive data from android phones and send them to their servers. It is initiated by an SMS attack that intimidates the user to install an app. This app is particularly designed for the banking sector and is designed to get online banking details. The Flubot malware SMS is circulated amongst various users worldwide. Users must be vigilant on clicking random links generated on SMSs.

Risk Prevention methods

To thwart the effects of Trojan malware, the best way is to implement Risk prevention methods. It is because once the attack is performed, the loss is inevitable. The following preventive measures can ensure best in line security protection of Mobile banking apps:

1. Runtime application self-protection

Apps should be made resilient and sustainable. If there is any anomalous activity, apps must be made to detect them. Once they are detected, the apps can prevent major damage and halt all operations. They must also notify the user and the concerned banking officials of the anomalous activity in the form of notifications. With continuous behavior monitoring, RASP can identify and attack and mitigate it in real time without human intervention. It thus prevents exploitation of vulnerabilities. RASP should be integrated in all banking applications.

2. Regular app security audits

App Vulnerabilities exist every day. When mobile apps are launched for users, they are checked for major security features. For banking applications, it is necessary to check for security flaws thoroughly and from time to time. Today’s 3rd party security providers typically provide an end-to-end mobile app security scanning solution that highlights all the potential threats that the banking app can face within a few minutes, something which is affordable and practical for the banking corporation. Since app security issues arise frequently, there is a need to fix these security issues as soon as they are detected. Thus, the app security audit provides results that need to be fixed. App updates are necessary so that the users use apps that have the latest security measures in place.?

3. Real-time Threat Monitoring

Having in place a mobile threat monitoring would greatly reduce cyberattacks on the mobile banking application from dynamic and static attacks. The mobile threat monitor would allow the establishment of a user behavior pattern. This includes making a connection from a particular device to different systems. An anomaly detection could be made on those connections. It is important to note that the chances of a financial attack are not always associated with particular devices but there could be some devices that appear to have been involved in previous attacks and thus trigger a high alert state.

4. Encryption and application hardening

One of the most common security measures undertaken in the mobile banking sector is to encrypt and harden the application using a variety of encryption techniques. This will make it very difficult for an attacker to manipulate the data without the correct key and so makes it more secure. Today, with the increasing innovations of digital security vendors, encryptions can be incorporated into an application easily and quickly through use of SaaS for security. 3rd party security vendors develop algorithms to encrypt data using their proprietary cryptographic technology, such as using a Virtual Machine to encrypt core processes.?

5. Multi-factor authentication

Multi-factor authentication is a mechanism that has gained much popularity over the entire IT sector. With this method, many attacks can be prevented, particularly identity theft. With multi-factor authentication when merged with biometric security methods provide an additional layer of security that comes in handy while providing application security. Mobile applications particularly banking applications must invest in new security authentication mechanisms that are made part of multi-factor authentication mechanisms.

6. Security awareness

The number one reason for users falling prey to banking app Trojans and cyber-attacks on financial operations is lack of awareness. Security awareness is a basic thing that all banking customers should be given. For this, there must be a security walkthrough training program built-in with the app that teaches basic security practices and updates related to modern Trojans and vulnerabilities lurking in apps. Southeast Asian countries, banking corporations and regulators must come together and work for the security awareness programs for the people.

Final thoughts…

The financial sector is losing billions of dollars each year. Mobile banking app developers need to implement state of the art threat prevention mechanisms in order to deliver an unrivaled customer banking experience and safeguard the banking corporation from any form of cybersecurity issues such as ransomware and phishing. Mobile banking app developers have the responsibility to take steps towards preventing cyber attacks. Utilizing malware scanners is not enough. The high stakes in mobile banking apps force security analysts to search for solutions which can detect and prevent cyberattacks.?

Mobile banking has been the target of cyber criminals for many years. Many potential threats include XMRig, Remcos, Black Rock, Flu bot, PixStealer and many others listed in this article are roaming around in android devices. These Trojans are designed to steal information about financial operations via the banking apps.

By far, ransomware threats are the most common cyber attack scenario in the financial sector, which has become a major threat for banks and financial institutions. The attackers are constantly innovating new technologies to carry out ransom attacks. From the perspective of banking security, Android mobile apps remain at risk from all kinds of cyber threats: phishing, man-in-the-middle attacks, spyware, identity theft, etc.

For a secured mobile banking experience, app developers and banking corporations need to implement best in line security practices and controls. We researched the banking app vulnerabilities and found many, in all cases most of them are not being patched up because they are not reported properly by banking organizations.?

The new breed of cyber criminals having access to sophisticated hacking tools and tactics has given rise to an entirely new threat landscape for the banking sector. Application Security is now one of the key components for banks to protect their assets from cyber attacks.