Trojans targeting mobile banking hit record levels in the first half of 2022
Most people in developed countries have adopted mobile banking into their daily lives surprisingly quickly and easily. The adoption of mobile banking has been successful as financial institutions and fintech companies have made the apps convenient, convenient and extremely secure. However, because the financial rewards of finding flaws in mobile banking apps tend to be astronomical, hackers are working day and night to figure out how to hack these apps.
While the mobile banking industry is in its golden age, the attention of cybercriminals is always high as well.
According to an Atlas VPN survey, the number of mobile banking Trojans reached an all-time high of 109,561 detections in the first half of 2022, up 117% from 50,450 detections in the second half of 2021. The analysis data was taken from the official website of Kaspersky Lab, where the company shares data received from its users.
Almost half (49.28%) of detections in the first half of 2022 are from the Trojan-Banker.AndroidOS.Bray family. This type of malware is considered to be a serious threat to the infected system. Mobile Trojans target mobile financial apps to commit device fraud and steal money directly from victims’ accounts. Victims sometimes manage to get their funds back. Cybercriminals tend to rationalize their fraudulent activities by claiming that their victims usually get their funds back, so the real losses are borne by banking institutions instead.
Differences in behavior on iOS and Android
In the case of cryptocurrency wallet attacks, ESET research has identified over 40 websites spoofing popular cryptocurrency wallets. These websites only target mobile users and encourage them to download malicious wallet apps. ESET was able to trace the distribution vector of these trojanized cryptocurrency wallets, as well as the creation of several Telegram groups, which began to look for affiliate partners. Shortly thereafter, ESET discovered that these “Telegram” groups were distributed and promoted in at least 56 Facebook groups with the same goal: to find more channel partners.
Malicious applications behave differently depending on the operating system they were installed on. On Android, it appears to be aimed at new cryptocurrency users who do not yet have a legitimate wallet app installed on their devices. Trojan-infected wallets have the same package name as legitimate applications; however, they are signed using a different certificate. On iOS, the victim can have both versions installed: the legitimate version from the App Store and the malicious one from the website, since they do not use the same Bundle ID.
For Android devices, the sites offered the ability to directly download the malicious app from their servers, even when the user clicked the “Download from Google Play” button. Once downloaded, the application must be manually installed by the user. As for iOS, these malicious apps are not available in the App Store. They need to be downloaded and installed using configuration profiles that add an arbitrary trusted code signing certificate.