Win the Cyberwar on Mobile Banking and Payments

Jeff FuBangcle Security – SecNeo Ltd.

You Probably Already Know About

Mobile Banking Threats

But you might not know there’s an entire illegal industry dedicated to mobile banking.

Do you know what keys Cybercriminals have?

How they steal money from Android App?

Drag picture to placeholder or click icon to add

2013:• 143,211 New

malwares

• 3,905,502 Malicious installation packages

20132013Malware Threats on Mobile

2011 -2013 In total:Approximately 10,000,000 unique malicious installation packages

For the 259 new malware families on Q3, 2013

20132013Malware Threats on Android

Android remains a prime target for malicious attacks. 98.05% of all malware detected in 2013 targeted this platform, confirming both the popularity of this mobile OS and the vulnerability of its architecture.

20132013Malware Target Mobile Banking

The cyber industry of mobile malware is becoming more focused on making profits more effectively.

I.e., mobile phishing, theft of credit card information, money transfers from bank cards to mobile phones and from phones to the criminals’ e-wallets.

2013 The number of mobile banking malware

2013 was marked by a rapid rise in the number of Android banking Trojans.

2013The Geography of Mobile Threats

Countries where users face the greatest risk of mobile malware infection

(the percentage of all attacked unique users)

　 Country % of all attacked unique users

1 Russia 40.34%

2 India 7.90%

3 Vietnam 3.96%

4 Ukraine 3.84%

5 United Kingdom 3.42%

6 Germany 3.20%

7 Kazakhstan 2.88%

8 USA 2.13%

9 Malaysia 2.12%

10 Iran 2.01%

Mobile Banking Virus-Svpeng

Svpeng detected by Kaspersky as Trojan-SMS.AndroidOS.Svpeng.A

Collects phone information

Steals voice call SMS messages

Steals money from the victim’s bank account

Steals logins and passwords to online banking accounts

Steals bank card information (the number, the expiry date, CVC2/CVV2) ,

My App Is Already Safe Enough

My app is good designed, I considered all the potential risks.My app is good programed by senior engineers.My app is completely tested, all the bug is fixed.My app is published to the Google Market.My customers installed the official released Apps.

Yes, I believe you have done all what you can do But your App is still in danger

Tampering and Reverse-engineering Attacks

Attack Method Solution

Bypass Integrity protection and verification No

Steal source code and security logic No

Repacking the App and conducting fraud No

Repacking the App and inserting malware code No

Bypass the local security control Move security control to server side

Get the symmetric encryption password and decryption local data

Use asymmetric encryption

Dynamic Injection and Hijack Attack

Attack Method Solution

Dynamic memory injection attack to modify transaction information No

Dynamic components hook attack get account ID, password No

UI hijack attack to get user input No

Keyboard hijack attack to get user input No

MAN-IN-THE-MOBILE attack No

MAN-IN-THE-MIDDLE attack No

1. Hacker injected the payment components

2. Hacker intercepted the transaction data before it is encrypted

3. Hacker modified the account ID and user name

4. The money is transferred to hacker’s account

5. Hacker tamper the invoice message or SMS and changed them back to original transaction account and user name

Dynamic injection Demo

Root Cause for All These Attacks

Integrity protection failure of Mobile Banking App is the root cause for the most attacks.

Static integrity protection failure Dynamic integrity protection failure

We need to make sure:

1) The App used by the customers is not tamped and repacked

2) The App is always running the same as designed

3) The information in the App can not be accessed and modified

4) All the security logic can not be bypassed

2013Financial App Protection

Financial App

Integrity Protection

In past 3 years, Bangcle provides services to:

100+ Financial and e-Payment Apps

500+ Business App developers

Our security products covered more than 300,000,000 smart devices

The leading App Security Provider in the world

Financial App

Runtime Protection

Financial App

Data Protection

Join our Workshop

Schedule: March 19, 4:00 PM ~ 4:45 PM

Join us to get more detail information about Bangcle Mobile Banking Security Solution

Enable Enterprise-grade Security into your Mobile Apps

Visit our Booth Number - F01

Thanks