Stefaan Seys, PhD

Security Architect @ VASCO

Mobile malware threats and countermeasures

Sofia, April 12, 2018

Entities in Online Banking Application

Main attack vectors:

• Phishing

• Financial malware

End-user

ATM network

Bank

Data centre

Main attack vector:

Advanced Persistent Threats (APTs)

Communication network

(e.g. Internet, SS7)

Trojans

Virtually all banking malware are Banking Trojans.

Trojan = innocent looking app that includes

hidden malicious capabilities

Mobile Banking Trojans: a short History

2010: Zeus

2013: Svpeng

2014: Torec

2015: Gugi, Torec becomes Acecard, Marcher, Facetoken

2016: Acecard, Marcher, Facetoken, Svpeng, Asacub,

Gugi also includes overlay

2017: Bankbot, Svpeng added keylogger through ACCESSIBILITY

Banking Trojans – Main functionality

Infection Monitor

and attack

Self-

protection Update

• Installation on mobile device

• Check banking apps of user

• Compare apps with filter list

• Capture credentials and upload to C2 server

via secure channel

• Take control of victim app (rooted)

• Hiding: ensure Trojan cannot be detected

by security software

• Obfuscation: make analysis and reverse

engineering more difficult

• Download additional software

modules

• Update filter list from C2 server

Mobile banking Trojans almost exclusively target Android

• Malware is largely targeting Android-based devices

• Reasons:

Item iOS Android

Ecosystem complexity Device and OS by same company Google, OEMs, Mobile Operator

Security updates Older and new devices often patched Many devices never patched

App sources Only official app store Allows untrusted sources

Vetting by app store Strong manual vetting Automated Bouncer checks

Ease of rooting Jailbreak window smaller every year Easy to root, or rooted out of the box

Mobile malware infection methods

1. Android Play Store (must circumvent bouncer)

1. Does not require user to enabled “untrusted sources”

2. Sometimes heavily pushed using ads

2. Third-party stores (nothing to circumvent)

3. Drive-by download (typically on adult sites as video player)

4. Phishing (SMS and chat very popular on mobile)

5. Exploit security vulnerability to install files without security warning

• E.g. Stagefright vulnerability (August 2015)

• E.g. Chrome vulnerability (November 2016) caused infection of 300,000 Android devices

6. Counterfeit toolchain (XCodeGhost)

1. 1) Without Root

- malware is “limited” to the capabilities of any normal app

2. 2) With Root, obtained through

- User rooting the phone

- Exploit vulnerability in OS (e.g., framaroot)

Mobile malware capabilities

Without root: SMS interception

2011: Zeus-in-the-Mobile (Zitmo) and SpyEye-in-the-Mobile (Spitmo)

2013: Perkele

1. Username/password

Cellular

Internet

2. mTAN

PC Malware (Zeus)

Inject code in web page, ask user

to install Perkele

Steal credentials

Zitmo/Spitmo/Perkele

Looks genuine (tailored to bank)

Keeps running in background

Intercepts SMS

Without root: Overlays

Partial overlay for

keyboard sniffing

Partial overlay for

stealing credit card Full overlay for

credential stealing

Without root: ACCESSIBILITY permission to take control

2017: Bankbot, targeted over 200 banks

Bankbot’s Dropper name is “Google Service” and it asks the user for the Accessibility permission

Without root: Repackaged App

# virtual methods

.method public final onClick(Landroid/view/View;)V

.locals 3

.line 122

invoke-virtual {p1}, Landroid/view/View;->getId()I

move-result v0

sget v1, Lo/Iw$f;->button:I

if-ne v0, v1, :cond_1

.line 123

iget-object v0, p0, Lo/JE;->B:Lo/JE$c;

.line 4078

iget-object v1, p0, Lo/JE;->A:Landroid/widget/EditText;

# virtual methods

.method public final onClick(Landroid/view/View;)V

.locals 3

# Changed by Stefaan

# send our new string to the log.

# this can be used to debug and can be picked up with ddms, logcat

# or log collector. as an exercise look up what the d() function does

# in the android developer documentation.

sget-object v2, Ljava/lang/System;->out:Ljava/io/PrintStream;

invoke-virtual {v2, v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V

# End of changes

[original code here]

Phishing 3rd party

store

Drive-by-

download

Banking Trojans with root access

• Rooting / jailbreaking

• Typically, one user of device has “super” powers on device

• Mobile OS usually does not allow owner of device to access “root” user

• Rooting (Android) or jailbreaking (iOS) provides access to “root” user

• Risks due to rooting:

1. Banking Trojan can read files on device

Any file

2. Banking Trojan can write to files on device

Including system libraries!

3. Banking Trojan can hook into another process

Separate process

Unique UID

runtime

Private

Data

App 1

Separate process

Unique UID

runtime

Private

Data

App 2

Linux Kernel

Separate process

Unique UID

Malware

Hook agent

Hooking script

ROOT

Take control

Remote Code Execution

• No “malware” is present on the device

• The code is pushed or pulled remotely and executed on the device because of a vulnerability in some library

• Usually components running with high privileges (“root”) are targeted

Well-known examples:

• Stagefright (2015, media engine)

• Chrome Javascript engine exploit (2016, browser)

• Blueborne (2017, bluetooth)

• Broadpwn (2017, Broadcom WiFi chips)

Every day new vulnerabilities are reported and patched, but very few of them are every exploited on large scale

Classification of Banking Trojans by capability and risk level

Likelihood

Th

reat

Banking Trojan

without root

access

Medium High Low

Banking Trojan

with root

access Repackaged

banking app Remote code

execution

Low

H

igh

M

ed

ium

VASCO Mobile App Protection

MY

Runtime Application

Self-Protection

• Jailbreak & Root

Detection

• overlay protection

• trusted keyboards

• screen reader detection

• app integrity protection

• hook & debug

prevention

• code obfuscation

Device Binding

Secure Storage

Behavioral Authentication

Face Authentication

Fingerprint Authentication

Secure Login

Transaction Signing

Secure Channel

VASCO DIGIPASS4Apps