The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

Mobile devices, while incredibly convenient for banking, have become prime targets for cybercriminals worldwide. Many attacks are often mistaken for fraud due to the financial loss measured, but the lead-up to these events can be unclear due to a lack of visibility or understanding of where and how to look for these threats and stop them earlier in the kill chain.

Malware is classified based on the attacks they can perform, such as Account Takeover (ATO), Device Takeover (DTO), and Automatic Transfer Systems (ATS). ATO involves impersonating a customer using stolen credentials, while ATS automatically changes bank transfer attributes without customer consent. Scams, though outside the scope of banking malware, involve social tricks that make users perform activities with their consent. This blog explores the evolution of mobile malware and how banks can bolster their defences.

The evolution of mobile malware

Banking trojans have existed on desktops for decades, but their evolution to mobile platforms has brought unique challenges. A 2022 report from Kaspersky noted a 70% year-over-year increase in mobile banking trojans, reflecting the growing sophistication and prevalence of these threats. 

Initially, mobile malware infected devices via SMS. Users received deceptive text messages appearing to be from trusted sources like banks, leading to malicious websites or premium-rate numbers, resulting in unexpected charges and stolen personal information.

As mobile banking usage expanded and technology evolved, cybercriminals leveraged advanced malware such as spyware and adware, which collect data and display intrusive ads.

Mobile banking trojans  have been known to mimic or hide in legitimate apps to capture credentials and intercept communications. Key features include:

• App mimicry: Replicating legitimate app interfaces to do things such as: capture credentials
• Credential theft: Overlaying fake login screens to capture user details and OTPs     
• Communication interception: Intercepting SMS messages and OTPs and also hiding notifications
• Real-time manipulation: Altering transactions without user knowledge.

Advanced techniques to evade detection include code obfuscation, polymorphism, delayed activation, and behavioural mimicry. These methods significantly complicate the process of identifying and eradicating threats. For instance, droppers—apps containing minimal malicious code—bypass Google Play Store security measures by using tactics such as fake updates. These updates prompt users to accept installations of secondary .apk files from third-party servers, and so facilitate the installation of malware like TeaBot.

Despite iOS and Android implementing security measures, cybercriminals cybercriminals bypass them through third-party app stores or system vulnerabilities. 

Enhancing detection and response with a proactive cyber-fraud approach.

To counter mobile malware, financial institutions must adopt a multi-faceted approach:

• Advanced behavioural analysis: Utilise AI and machine learning to detect subtle deviations in user behaviour. A report by Juniper Research indicates that AI-driven fraud detection systems can potentially reduce costs associated with fraud by up to $11 billion annually, highlighting the critical role of AI in identifying patterns and anomalies that traditional methods often miss, thereby significantly enhancing fraud prevention.
• Integrated threat intelligence: Incorporate real-time threat intelligence into fraud detection systems. Cleafy shared its discovery of TeaBot (and other zero-day threats) with all their customers as soon as the threat was identified, allowing for swift and coordinated responses.
• Enhanced user authentication: Implement robust authentication methods like biometrics and multi-factor authentication (MFA) Strong authentication measures are essential to protect user accounts and prevent unauthorised access.      
• Regular training and awareness: Keep detection teams updated on the latest trends and techniques through continuous education      Regular training ensures that security personnel are well-equipped to recognise and respond to emerging threats.
• Collaboration and information sharing: Work with other institutions and cybersecurity organisations to share insights and strategies. Collaborative efforts enhance the overall security posture by pooling knowledge and resources to combat sophisticated threats.

UK’s National Cyber Security Centre reports that 81% of fraud attacks use cyber and social engineering tactics, with more than 40% involving advanced malware. By leveraging cyber-fraud fusion solutions like Cleafy, banks gain access to state-of-the-art tools and expertise, empowering them to navigate the complex cybersecurity landscape with confidence as this European bank success story showcases.

Conclusion

A 2023 report on mobile malware revealed a staggering 1,400 mobile apps from 800 different brands under siege by 19 distinct families of banking malware (including PixPirate discovered by Cleafy). By investing in advanced behavioural analysis, integrating threat intelligence, and enhancing user authentication, banks can protect themselves and their customers from these invisible enemies.

Join Cleafy's upcoming webinar on 18 July to learn more about combating advanced mobile malware to fortify your institution’s defence against online fraud.