Banking Trojans – the greatest threat to mobile devices


We live in a smartphone boom. For several years, they have accounted for over 50% of all mobile devices, which makes cyber threats a big problem for consumers. While PC users are used to using at least basic „safety hygiene”, most smartphone users still consider their device like a telephone – just like an iron or a washing machine.

Today’s smartphone is a full-fledged computer, but it is much more versatile than the one you used 10 years ago. Moreover, it poses a much greater threat – while your PC hard drive did not contain anything of value (apart from e.g. a few documents of your co-workers or photos from your last vacation), on your smartphone you probably keep data that is valuable to you for cyber criminals.

If you have a smartphone, you probably also have a bank account. Currently, banks use a phone number to perform authorization (they send one-time passwords in SMS), which makes cybercriminals willing to penetrate this communication channel to transfer money from your bank account.

Therefore, it is not surprising that banking Trojans are the most profitable mobile threat: they account for over 95% of mobile malware. Over 98% of attacks on mobile banking are targeted at Android devices, which is also not surprising – it is the most popular mobile platform in the world (over 80% of the global smartphone market) and the only one that allows you to install applications from outside of official stores.

Trojans are not as dangerous as viruses because user interaction is required to penetrate the system. However, there are many effective social engineering techniques – the program may, for example, pretend to be an important update or a free level in your favorite mobile game. Moreover, many exploits can automatically activate a malicious program after a user accidentally runs a malicious file.

There are three main ways banking Trojans can be used:

  • Hiding text. The malicious program hides text messages sent by banks on the phone and then sends them to criminals, who in turn transfer money to their accounts.
  • Transfers to smaller amounts. Malicious programs from time to time transfer relatively small amounts of money to fraudulent accounts from an infected user account.
  • Impersonation. Malware mimics a given bank’s mobile application and, after obtaining the user’s login details for a real application, performs the two actions described above.

Most banking Trojans (over 50%) target Russia and the CIS countries, as well as India and Vietnam. Recently, a new generation of universal mobile malware has become more and more popular, capable of downloading updated profiles of various foreign banks from the United States, Germany and Great Britain.

The first Trojan targeting mobile banking was Zeus, also known as Zitmo (Zeus-in-the-mobile), which appeared in 2010 (its PC predecessor, also called Zeus, was created in 2006). This malware has infected more than 3.5 million devices in the US alone and created the largest botnet ever.

It is a classic information hijacker that saves login credentials entered by the user on the interface of a mobile banking app and sends them to the criminal. Then the fraudster can log into the system using the intercepted credentials and perform fraudulent transactions (Zitmo was even able to bypass two-factor authentication).

Moreover, thanks to Zeus, the fraudsters obtained more than 74,000 passwords to FTP servers belonging to various companies (including Bank of America), changing the code so that after each payment attempt they could extract credit card details. Zeus was very active until 2013, when it began to be replaced by the more current Xtreme RAT threat, although the Trojan’s kernel code is still fashionable among malware writers.

SpyEye appeared in 2011 ; one of the most successful banking Trojans ever. It is estimated that its creator, Alexander Panin, sold the code of this threat on the black market for around $ 1,000- $ 8,500. According to the FBI, which deanonymised the creator of SpyEye, 150 people bought and modified this Trojan in order to steal money from various banks. One scammer managed to steal over $ 3.2 million in just six months.

In 2012, another type of Trojan was discovered –  Carberp . It pretended to be Android applications of famous Russian banks, Sberbank and Alfa Bank, targeting users in Russia, Belarus, Kazakhstan, Moldova and Ukraine. Interestingly, the scammers were able to place fake apps on Google Play.

A group of 28 cybercriminals was arrested during a joint Russian-Ukrainian operation. However, Carberp’s source code was published in 2013, so anyone could use it to create their own malicious program. Although the original Carberp was created with the countries of the former Soviet Union in mind, its followers have been identified all over the world, including the United States, European and Latin American countries.

In 2013, the Hesperbot was detected. This malicious program originated in Turkey and has spread worldwide via Portugal and the Czech Republic. In addition to creating the classic threat, the Trojan creates a hidden VNC server on the smartphone, which allows the attacker to manage the device remotely.

The remote access capability does not disappear after the Trojan is removed, however, allowing the attacker to intercept all messages as if the device were in their hands. Thus, it consistently offers the possibility of installing another malicious program. Moreover, the Hesperbot acted not only as a banking Trojan, but also as a bitcoin hijacker, and it was distributed via phishing campaigns (impersonating e-mail services).

In 2014, the source code of Android.iBanking was revealed. It is a comprehensive set for SMS interception and remote device management, valued at up to $ 5,000. Publishing the code resulted in an increase in infections.

The kit includes malicious code that replaces a legitimate banking application (the original application remains fully functional, although it is modified to provide additional functionality), and a Windows program with a convenient interface to control all infected smartphones on the list, which is automatically updated with new victims.

The amazing thing is that despite the availability of the free version of the malware platform, the paid version is more popular. Premium users receive regular product updates and customer support. At the end of last year, two more Trojans were discovered in the Google Play store, which were intended for Brazil and were created without any special programming skills – they were based only on the universal kit available.

When it comes to banking attacks, Brazil is a special country. I will explain it on the example of the popular Boleto mobile payment system . It allows you to send money between users via virtual tokens containing a unique payment identifier, which is sent to the barcode on the display and then scanned by the recipient’s phone with a camera.

Special Trojans attack users of Boleto applications (eg Infostealer.Boleteiro), intercept the generated tokens from the browser and immediately modify them on the fly to be sent to hackers.

In addition, this Trojan monitors the place on websites and banking applications where the ID number is entered into the Boleto system (when replenishing the account in the system) and secretly replaces the original ID with a fake one.

Banking Trojans – the greatest threat to mobile devices

In June 2015, a new Trojan called Android.Bankbot.65.Origin was discovered in Russia. It pretended to be a patch to the official Sberbank Online application and offered „a wider range of mobile banking functions” that would be available after the installation of the „newer version”.

In fact, the app remained a functional mobile banking tool, so it was hard for users to know when something was wrong. As a result, 100,000 Sberbank users lost more than 2 billion rubles in July. They were all users of the Sberbank Online application.

The story of banking Trojans is not over yet. As new applications are developed, attackers use increasingly effective techniques to lure users into the trap. It’s time to properly protect your smartphone .