Beware mobile malware

While banks broadly appear to have avoided the scourge of the WannaCry attacks of May, a serious threat may be right at hand—literally. The source of that risk is customer and banker smartphones.

Analyst Al Pascual’s examination of mobile malware risks began with a casual comment by one of Javelin’s clients. The customer and Pascual had been discussing risks facing mobile services, and the client remarked that mobile malware might be something like Bigfoot. That is, in spite of the rumors and the “sightings,” was it really even out there?

That got Pascual wondering, and he dug into the matter. He found that mobile malware indeed does exist, and can wind up on a device in several different ways. As a result of his inquiry, Javelin recently published its 2017 Mobile Banking Malware Report as a warning to the industry for bankers with company devices as well as BYOD (bring your own device) connections to bank systems. Of potentially more importance, actually, was Javelin’s intent to raise the bankers’ awareness of the risks mobile malware poses to bank customers’ devices.

Fraud seems almost inevitable today in the age of the mobile device. “At the end of the day,” points out Pascual, “we pay a price for increased convenience. Insuring security is on you.”

Where do you get apps?

Typically, the apps that people put on their devices come from an official source related to that device. For iPhone users, home base is Apple’s App Store. For Android users, there is the Google Play store, formerly known as Android Market.

In both cases, the store operators are supposed to vet the offerings available to be sure that, among other things, they don’t contain harmful code. Pascual says that the App Store has historically done a better job in vetting apps, though he says that’s not to say that risks don’t slip through. He says Google’s store has grown better in vetting. Among recent efforts to improve app safety is the developer tool Google SafetyNet and the consumer-oriented Google Bouncer, which screens apps for risks.

These efforts can protect many users, says Pascual, but a risk remains that “you can drive a truck through.”

This is a practice called “sideloading.” Sideloading refers to obtaining apps from a source other than one of the official stores. Accomplishing this requires making a change to security settings to allow the device to download from other than its home base. It’s the device equivalent of turning off your home’s burglar alarm system. Or, perhaps more exactly, it’s venturing into a sketchy part of your town where you know the police don’t patrol. It’s possible that nothing may happen, but you never know.

You can find readily the instructions for doing this on either family of devices by Googling the word “sideload.” (This is not a recommendation to do so.)

Says Gizmodo’s online “Field Guide”: “So why is sideloading important? Sometimes you might want to install an app that doesn’t meet the rules of iOS and Android; or you might want to join a beta test where only unofficial app packages are available. Most users will never need to sideload an app in their lives, but it can be a handy trick to know.”

You may wonder why anyone but the technically initiated would meddle with this sideload capability when there are huge numbers of apps that have at least been subjected to the giants’ vetting. One point is that not everyone downloading apps is accessing “Joe Schmo’s Bargain App Basement.”

Dangers of nonofficial apps

Pascual points out that there’s a major source of nonofficial apps. It’s part of the world’s biggest online retailer and goes by the name of Amazon Underground. On this service, Amazon offers many popular apps that it calls “actually free.” Even in-app purchases are free. They can be downloaded to Android devices and to Amazon Fire tablets. (In 2019, Amazon plans to end support for this oddly named service in favor of concentrating on its own Amazon Appstore.)

Pascual uses Amazon Underground apps himself. However, he points out that there are risks.

First off, he explains, “Who’s to say that Amazon vets apps as well as others?”

Second, the risk of unlocking security to permit sideloading involves not only the initial load, but the risk that security doesn’t get turned back on.

People do things very quickly on their devices. How often have you suddenly realized how many apps you have open on your device that you thought you had shut off?

One of the risks of not restoring security settings is that this can expose the device to a “drive-by” download. That is a download of malware going on in the background when an unprotected device is visiting a compromised website, for example.

But Pascual says the other risk is the app that materializes out on the internet from some unknown source, not even from a quasi-official site like Amazon’s. He says this often happens when a popular new app, especially a hot, new mobile game, becomes available in one app store but initially not on the other. Excited fans often don’t want to wait for the official release on their platform of choice. So they succumb to the temptation to download the supposedly re-ported version of the hot property. The bootleg may turn out to be carrying malware.

One example, says Pascual, is the popular Super Mario Run, released for Apple devices several months ahead of the Android version. Fraudsters used a phony version of the game to infect Android users with the Marcher mobile banking Trojan malware.

Extent of the risk

Javelin’s report estimates that nearly 8 million mobile banking users expose themselves to the risk of malware infiltration because of sideloading.

“Unlike desktop malware, which can infect devices invisibly through malicious websites, mobile malware typically requires the user to actively consent to install the app,” according to the Javelin report’s executive summary. “This requires malware operators to disguise their app as something with legitimate functionality.”

Javelin’s research indicates that only 6.1% of smartphone owners say that they have sideloaded. However, the research determined that among active users of mobile person-to-person payments and mobile wallets, over 10% have sideloaded.

One common way that the malware attacks, once loaded, is by placing an overlay on the desired app. This screen requires entry of log-in information, payment information, and other details that can be used by the malware attacker to rip off the consumer and his bank. The report details how one overlay actually required duped users to shoot photos of identification documents.

“Malware is designed to compromise the individual user,” says Pascual. From the criminals’ perspective, the “beauty” of this method is that the fraud is automated, he explains. They set up the false apps, and build in the malware. Then they wait for the compromised data they seek to roll in.

This adds to an exposure that already exists. “Existing malware families have long had the ability to compromise SMS [text] messages, undermining the most prevalent form of two-factor authentication used by U.S. financial institutions,” according to the Javelin executive summary. “Overlay attacks represent a potent new means of compromising static credentials, such as passwords and security questions.” Sideloading can increase the potential for having both forms of security negated.

What can be done?

Javelin’s report warns that countries outside the United States, where third-party app sources are more prevalent, have seen more malware attacks. But this is expected to change as criminals further exploit fresh targets in the United States.

Regarding consumers, Pascual recommends that banks reach out to educate them about the risks to their legitimate apps and device functionality of going outside the official app zone. While he has done so himself, he stresses that after downloading something from, say, Amazon Underground, he makes sure that he’s turned security settings back on.

He also recommends turning on all alerts offered by financial providers. Activating both text and email alerts will provide an email backup in case the text alert channel has been compromised. Malware fraudsters may intercept the alert.

Pascual says BYOD is less common among banks than other types of companies. But he adds that this doesn’t mean employees with company-provided devices aren’t sideloading third-party apps.

“Who knows what’s tagging along with the app from that third-party store?” says Pascual. “You want to be sure that this practice is completely disallowed.”

Increasingly, the ability to detect overlay fraud and related malware practices on a device is being built into mobile financial apps. This enables an institution to shut down all or selected functionality of its app on a compromised device. Javelin’s report stresses that phasing out of text-based authentication to alternative methods like biometrics will make it harder for crooks to infiltrate accounts.

Download more about Javelin’s report