Friday, March 23, 2018
"When the app is launched, it collects and submits user's personal information to a command and control (C&C) server, and presents its display [spoofing a legitimate bank app]," they wrote. "The server will respond with configuration specifying the phone numbers that will be used in the scam."
Symantec further noted the malware can intercept both incoming and outgoing calls, fooling users who call a legitimate banking phone number, which alerts the malware to intercept and transfer the call to a preconfigured scammer's phone. Alternatively, incoming calls from scammers are masked by a fake user interface overlay and face dialog box that spoofs the legitimate bank caller ID and phone number.
Symantec's March 2018 Internet Security Threat Report, Vol. 23 further highlights growth in mobile malware variants. The report's key findings include the following:
"Threats in the mobile space continue to grow year-over-year," Symantec researchers concluded.
Frederik Mennes, senior manager for market and security strategy at Vasco Data Security, advised banks to protect against "vishing" (voice phishing) attacks by educating users to fully vet third-party apps before they install them on their mobile phones. Review app privileges, he stated, adding that banks must, at minimum, authenticate transactions with user-generated valid dynamic authentication codes.
"Fraudsters will have trouble convincing the user to generate and provide a valid authentication code for a fraudulent financial transaction, and hence will be stopped before doing any harm," Mennes said. Paul Bischoff, privacy advocate at Comparitech.com, expects the new vishing schemes to go viral in the cybercrime community. He advised consumers to be wary of third-party apps, limit permissions on those they install, and maintain updated Android operating systems. The latest Android release, called Oreo, specifically prevents criminals from spoofing caller IDs, he noted.
Bischoff called out the vishing malware dubbed Fakebank, in particular, and said its model could soon be adopted by malware markets outside of South Korea. He did, however, provide reassurance. "Even though the attack uses a fairly novel approach to scam users, Android owners can avoid it using the same best practices used to avoid any other type of malware," he said.
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.