New bot malware leaves financial apps dangerously exposed
In June, the FBI issued a warning about the safety of mobile banking apps, particularly highlighting the danger of trojans designed to capture passwords, steal financial information and take over accounts.
The EventBot trojan, for example, which appeared in April, masquerades as an Adobe or Microsoft Word app for Android, but its true purpose is to steal information from unprotected financial apps on the device.
EventBot is a particularly frightening development for mobile banking for three reasons. First, it hides in an altered version of an app that seems legitimate. Second, it currently focuses on stealing unprotected information in banking, wallet, payment and cryptocurrency mobile apps.
The malware is even able to intercept SMS messages so it can steal two-factor authentication codes along with user credentials and passwords. Finally, the malware is evolving quickly, as it appears a team with an entrepreneurial strategy behind it. As security measures catch up to EventBot, they seem ready to find new vulnerabilities to exploit.
The risk, though, goes far beyond trojans like EventBot. Banking apps are dangerously insecure, and cybercriminals have taken notice, especially since the pandemic has increasingly pushed consumers to bank using mobile apps.
Forbes, for example, reports a 35%-80% increase in mobile banking as a result of COVID-19. And mobile app development, in general, is nowhere near where it needs to be in terms of security. According to the Verizon Mobile Security Index 2020, 43% of organizations said they knowingly cut corners on mobile security in 2019 to “get the job done.”
There are many vulnerabilities that are prevalent in banking apps, but the most common are:
Unencrypted dynamic data. These strings communicate with the bank’s back-end servers and include vital information that cybercriminals can use to compromise it.
Security certificates stored in the clear. If the security certificate is exposed, hackers can decrypt all communications between the customer and bank. It makes it simple to perpetrate a man-in-the-middle attack.
Insecure APIs. Trend Micro found 50 major financial institutions plus scads of fintech startups using APIs with serious security flaws. Insecure APIs can expose secrets and enable hackers to compromise apps and servers.
Mods and Fake Apps. Many apps do not obfuscate their code or protect their binaries against debuggers, which enable hackers to understand the inner workings of the app to create Trojans or fake apps like EventBot.
It doesn’t have to be this way. Implementing security manually into banking apps is expensive and time-consuming, and that assumes development teams manage to hire and hold on to increasingly scarce Android and iOS security talent. There are more efficient alternatives, such as integrating security software development kits (SDKs) into apps or taking advantage of AI-powered no-code platforms that can secure apps in minutes with just the binary.
In any case, mobile banking app security must be a top priority for developers. Because if consumers come to believe they cannot trust their institution’s app, they will likely leave to find one they can.