Recently, the Dutch company Securify came across a new sample of the BankBot Android mobile banking malware.

While older samples of BankBot mainly targeted Russian financial institutions, the latest sample shows that BankBot now targets European and American institutions as well. More specifically BankBot now targets over 420 leading institutions in countries such as Germany, France, Austria, the Netherlands, Turkey and the United States.

BankBot is a banking Trojan horse that poses as an apparently benign consumer banking application. When the application is installed and run, it asks for administrative privileges. Once these privileges are granted, the icon disappears from the home screen. From that moment, the device is compromised and BankBot attempts to steal the customer’s credentials (e.g., username and PIN) and debit or credit card information.

Android handset
Bloomberg News

BankBot tries to steal banking credentials by using a well-known technique called overlay. The malware creates a window that mimics the look and feel of the targeted mobile banking app, and it aims to trick users into entering their credentials. This overlay window is positioned on top of the target app when the user launches it. Because the fraudulent overlay window is created to look exactly like the target app, the user usually believes they are interacting with their institution’s genuine mobile banking app.

The BankBot malware comes with a list of names of mobile banking apps that it targets, and it compares names in this target list against the names of apps running on the Android device of the user. When BankBot detects that a running app is present in its target list, it generates the overlay window and positions it on top of the target app to deceive the device’s owner.

Technologists reviewing the following code snippet of BankBot can see exactly how the malware checks whether any of the processes running on the Android device are present in the target list, and how the malware launches the overlay injection routine. The comments in the code have been added by threat analyst Ernesto Corral to simplify reading.

The overlay itself consists of a customized WebView, which is an Android component that can be used to show a web page within an app. The content of the WebView is downloaded on the fly from the C2 server.

Can runtime application self-protection (RASP) offer protection? An analysis of a test shows RASP successfully defends mobile banking apps targeted by BankBot against overlay attacks. As a result, we can safely say that all of the more than 420 apps targeted by BankBot are protected, if so equipped. This is crucial because virtually all currently known malware families use the same deceptive overlay technique as BankBot. A good example of another malware family using this technique is Marcher, one of the most active banking malware families of 2016 according to Kaspersky’s report Financial Cyberthreats in 2016.

Moreover, RASP’s generic overlay protection mechanism ensures “future-proofing”: Any new mobile banking apps that are targeted by BankBot in the future using the same overlay technique, will also be protected.

Even if a banking Trojan should manage to steal a user’s banking credentials (his or her PIN, for instance), the user’s credentials would be of little value to a fraudster, if the app is protected with two-factor authentication, as were apps and devices in this test.

Apps protected in this way use two authentication elements: something the user knows (for example, the PIN) and something the user has (e.g., a cryptographic key stored on the mobile device), which is used to generate one-time passwords. While overlay attacks can be used to target the knowledge factor, they cannot attack the possession factor to steal the cryptographic key.

Analysts at the threat research labs used in this study analyzed the internals of malware such as Bankbot and Marcher. Findings show that at this point, many or most Android mobile banking malware families use the same approach to create fraudulent overlay windows that deceive users.

Based on lab testing, I and the threat research lab team are confident that RASP technology can, if properly developed and with sufficient security features to detect and prevent application-level intrusions, offer protection against all malware families that use this approach. Furthermore, two-factor authentication functionality can ensure that even successful overlay attacks can be thwarted.

Frederik Mennes

Frederik Mennes

Frederik Mennes is manager of the Security Competence Center at Vasco Data Security.