Hackers take aim at mobile bankers, according to Nokia

Trojans designed to harvest mobile banking credentials are growing in popularity, warned Nokia this week.

The Finnish vendor has published its latest Threat Intelligence Report, which aggregates data collected from networks monitored by its NetGuard Endpoint Security solution. It found an 80 percent increase in the number of new mobile banking trojans. On Android handsets alone, banking trojans are now the third most common type of malware, behind spyware and run-of-the-mill trojans.

Once installed, these malicious apps can carry out a variety of functions depending on which permissions have been granted. For instance, some of them copy one-time log-in codes sent via SMS and send them to the attacker. Others wait until a banking app is opened, then place a transparent overlay on the log-in screen that saves the unwitting victim’s keystrokes, making them available to the hacker. Some can take a sneaky screenshot, and some even target authentication applications.

“Banking Trojans can arrive on smartphones in a variety of ways, often disguised as common and useful apps,” explained Nokia, in the report. “When run, they request a variety of permissions needed to perform their desired behaviour, then often remove their icon from the application pane, effectively disappearing from the device.”

Eventually, the victim forgets they ever installed the app, but it remains in the background, carrying out its nefarious tasks.

One notable Android banking trojan is FluBot, which is disguised as a package-tracking app from a major courier. The victim receives an SMS claiming a package is on its way to them; said message includes a link to download the bogus app. Another, called TeaBot, is disguised as a video app, while BlackRock poses as an Android or Google update. As Nokia’s makes clear, there are several attack vectors for mobile banking trojans.

Nokia warned that “once a trojan is installed and running on a phone, it can be difficult to remove.” On older versions of Android, some banking Trojans use various tricks to avoid removal, such as sending the user to the desktop as soon as they select the malicious app in the app manager, it said. “In these cases, the phone must first be booted in safe mode, then the app can be removed through the app manager.”

Nokia said the better strategy is to avoid getting infected in the first place. “The easiest and most obvious form of prevention is to download apps only from official app stores,” the vendor said.

Other recommendations include using multi-factor authentication and avoiding the use of banking apps while connected to public Wi-Fi hotspots.

According to the report, banking trojan activity is concentrated mainly in Europe and Latin America, but it is spreading to other regions.

It isn’t all doom and gloom though. The overall monthly mobile infection rate has held steady at around 0.12 percent since August 2019, down from a peak of 0.23 percent in the year before. That peak was driven by COVID-related cyberattacks. While people are now much more savvy about malware posing as information about COVID, it hasn’t stopped hackers from trying their luck.

“COVID-19-related malware incidents have persisted. Many of these involve phishing attacks leveraging email, social media and text messages that embed malicious links into information about COVID-19 vaccines. Ransomware attacks on the healthcare sector have also continued,” Nokia warned.

Obviously Nokia would like people to read its report and then sign up to its NetGuard Endpoint Security offering. That sounds quite complex for those of us who aren’t as well versed in network-based cyber security, so a more elegant and accessible solution might be to switch off our phones and go live in the woods.