18 October 2017
Uri Rivner

The Joy of Fraud Fighting

Uri Rivner - BioCatch

78Posts 362,696Views 36Comments
Innovation in Financial Services

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Mobile: Here There Be Monsters

26 March 2012  |  3639 views  |  1

It’s a new, exciting era for Trojan builders. The mobile space in 2012 is a virginal, unchartered territory that attracts the talent and creativity of black hatters and malware writers like moths to a flame. If you think about it, the entire mobile security space has huge ‘Here there be monsters’ sections where the cartographers don’t really know what to draw. With its unique architecture, security platforms and operating systems it’s a challenging, yet highly rewarding exercise.

While most Trojan kits are still focused on building scalable, highly effective web harvesting weapons with a growing arsenal of tricks, demand for mobile-based attacks is growing. It’s been slow, but it’s there. In a few years’ time, those Trojan developers who don’t support mobile platforms will go out of business. And I can promise you they have no intention whatsoever of doing so.

Plenty of Trojans affecting the popular Android mobile platform have been reported over the last couple of years. Zitmo, a Zeus Trojan add-on designed to capture and redirect SMS messages containing one-time-passwords, was launched in 2010 (good coverage of that here and here). Similar functionality not tied with the famous Zeus Trojan was reported in the Philippines even earlier. Other Trojans take control over the mobile device so the attacker can use unauthorized premium services or long distance calls, and there are spyware programs that allow you to eavesdrop, get data, and do other useful things.

A new blog post from MacAfee shows another step in the evolutionary ladder for mobile Trojans. It’s an Android app that poses as a legit one-time-password generator used by Spanish banks but is actually a man in the middle Trojan that steals both the login password as well as the OTP, collects some device identifiers as well, and can also be used as back door for future malicious applications.

Why Android, by the way? Well, security researchers differ in their observations around the relative vulnerability of mobile platforms. In a ‘breaking news – up to the minute hacking threats’ panel I moderated RSA Conference 2012 we had a lively debate over the matter. Kaspersky Lab’s Roel Schouwenberg maintained that the Android app market, being less controlled, is a fertile ground for malicious apps as opposed to other platforms; Kevin Mahaffey, CTO of mobile security company Lookout argued that no mobile platforms can be singled out as particularly tough to hack, and the fact Android is more attacked can be explained by market forces in the supply and demand for mobile malware. The ecosystem of Android exploits and malware know-how developed faster than in other platforms, so it’s easier to join the trend.

The new mobile Trojan is more a social engineering attack than a Zeus-style silent Trojan that harvests mobile device traffic. It’s not the long awaited Zeus for Mobile; it cannot sneak into mobile banking applications and listen in; it is not even designed to capture mobile browsing traffic. It’s a standalone attack that leverages the biggest weakness in the mobile space: the users.

In order for this to work, you first need to download the app. My colleague Bob Griffin wrote about app monitoring in his review of the RSA Conference innovation sandbox; it’s not an easy problem to solve. Then you need to install the app and respond to its social engineering interception not when you bank online but rather when the Trojan itself decides to trigger itself. Still, chances are it will be quite effective. If someone fell for the first step – the download – chances are they’ll fall for any following steps as well.

People’s common sense fails even in the web environment they’ve been using for decades; it’s safe to assume it will fail also in the new, highly dynamic mobile environment. It’s unchartered territory for everyone, and that’s the beauty of it from a cybercriminal perspective. We should expect surprises, creativity and feats of social engineering that can only work in these mobile times. 


Here there be monsters TagsSecurity

Comments: (1)

A Finextra member
A Finextra member | 28 March, 2012, 08:50

You're right - it's the environment of the operating systems that is critical. Both are very similar under the hood, as both are UNIX operating systems (Linux for Android and BSD for iOS).

The critical thing for the malware writers is that the barriers to the app markets are very high for Apple, but non-existant for Android (although you could bypass either via persuading the victim to download your app from a separate location entirely).

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Uri

Brazil vs. Germany: A Surprising Find

12 July 2014  |  3726 views  |  1 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Sweetheart Scams: When Fraudsters Turn to Romance

30 June 2014  |  3049 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

BitCoin Explained: How to Become a BitCoin Thief - part 1

04 December 2013  |  22115 views  |  1 comments | recomends Recommends 1 TagsMobile & onlinePaymentsGroupInformation Security

A Message from Hell

01 October 2013  |  3742 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Uri's profile

job title Head of Cyber Strategy
location Tel Aviv
member since 2008
Summary profile See full profile »
Internet. The perfect fraud frontier. These are the thoughts of Uri Rivner, head of Cyber Strategy at BioCatch and formerly Head of new technologies, identity protection, at RSA, the security division...

Uri's expertise

Member since 2008
78 posts36 comments
What Uri reads

Who's commenting on Uri's posts