Mobile banking is very convenient, allowing users to access their
bank account and manage their finances without actually visiting the
bank. Unfortunately, mobile banking apps are a constant target
for hackers. A recent blog post from Lookout reveals a cloned banking app that targets user logins was recently at large in the Google Play app store.
A Wolf in Sheep's Clothing
The malware is called BankMirage. It works by wrapping itself around a bank's original app, which in this case was the Israeli bank Mizrahi Bank. Attackers then successfully uploaded the app to the Google Play store. When customers opened the app, they would be instructed to enter their login information at which point the malware grabs the user's ID. After entering the correct information, the user then gets an error message saying their login was incorrect and to install the real app from Google Play.
The interesting part about BankMirage is that it only steals the user ID. Perhaps the hackers already have a huge cache of passwords and only need the user IDs or that BankMirage is the foundation for a round of very targeted phishing attacks in the future. Another plausible scenario is that the creators of BankMirage plan to sell their stack of IDs to other hackers for a price, further increasing the risk of a compromised bank account.
"At this point, it's still very curious even to us why the authors would only want to collect the usernames and not passwords," said Meghan Kelly, Security Communications Manager at Lookout. "However, it could be that they were testing the app's functionality before moving forward in development."
Fool Me Twice
The process of stealing login information is nothing new. The Zeus Trojan, which targets sensitive banking information and email accounts, returned last year. There are many variations of the program, which makes sense when considering that BankMirage's tactics are used by other malware programs.
Another banking Trojan called WroBa.D not only takes login information, but is also capable of intercepting SMS messages. This allows hackers to potentially get the authorization code before users have a chance to see it, giving hackers complete access to a bank account. The malware has seven variants and targets six banks in South Korea, and disguises itself on devices as a fake Google Play app.
South Korea is an appropriate target because its citizens have been using mobile banking applications since 2000. In 2008, 22.8 trillion won or the equivalent of $22.5 billion was exchanged through online banking. Mobile devices accounted for 151 billion won or $149 million of those transactions.
Prevention
The terrifying part about the malware is that it exists inside Google Play. We always recommend that our readers only download apps from Google Play, but as this malware and past experience shows, it's still possible for malicious software to make their way into the Google Play store.
Lookout advises concerned readers to use their best judgement when downloading apps. Check to see if the banking app has a duplicate app and determine which one is the real deal. Be on the lookout for spelling errors, which usually indicates that the app is up to no good. For example WroBa.D utilizes the Google Play icon, but name below the icon reads as "googl app stoy."
A Wolf in Sheep's Clothing
The malware is called BankMirage. It works by wrapping itself around a bank's original app, which in this case was the Israeli bank Mizrahi Bank. Attackers then successfully uploaded the app to the Google Play store. When customers opened the app, they would be instructed to enter their login information at which point the malware grabs the user's ID. After entering the correct information, the user then gets an error message saying their login was incorrect and to install the real app from Google Play.
The interesting part about BankMirage is that it only steals the user ID. Perhaps the hackers already have a huge cache of passwords and only need the user IDs or that BankMirage is the foundation for a round of very targeted phishing attacks in the future. Another plausible scenario is that the creators of BankMirage plan to sell their stack of IDs to other hackers for a price, further increasing the risk of a compromised bank account.
"At this point, it's still very curious even to us why the authors would only want to collect the usernames and not passwords," said Meghan Kelly, Security Communications Manager at Lookout. "However, it could be that they were testing the app's functionality before moving forward in development."
Fool Me Twice
The process of stealing login information is nothing new. The Zeus Trojan, which targets sensitive banking information and email accounts, returned last year. There are many variations of the program, which makes sense when considering that BankMirage's tactics are used by other malware programs.
Another banking Trojan called WroBa.D not only takes login information, but is also capable of intercepting SMS messages. This allows hackers to potentially get the authorization code before users have a chance to see it, giving hackers complete access to a bank account. The malware has seven variants and targets six banks in South Korea, and disguises itself on devices as a fake Google Play app.
South Korea is an appropriate target because its citizens have been using mobile banking applications since 2000. In 2008, 22.8 trillion won or the equivalent of $22.5 billion was exchanged through online banking. Mobile devices accounted for 151 billion won or $149 million of those transactions.
Prevention
The terrifying part about the malware is that it exists inside Google Play. We always recommend that our readers only download apps from Google Play, but as this malware and past experience shows, it's still possible for malicious software to make their way into the Google Play store.
Lookout advises concerned readers to use their best judgement when downloading apps. Check to see if the banking app has a duplicate app and determine which one is the real deal. Be on the lookout for spelling errors, which usually indicates that the app is up to no good. For example WroBa.D utilizes the Google Play icon, but name below the icon reads as "googl app stoy."
Posts
