The international threat report is intended to describe the typical behaviour of Android malware, in particular within a financial context. To access the full document please scan the QRCode below.

Developers of mobile banking/payments malware are the first to use new technologies and are always looking for ways to bypass security mechanisms implemented in mobile operating systems.

The full report is composed of four sections as follows:

  • Section 1 describes the context of a mobile malware attack. A huge amount of mobile malware has Mobile Financial Malware 2017: international threat report been developed in the last years. This is caused by two factors. In the first place, the mobile app development context is technologically less mature, especially considering the security prospective. Secondly, users have less insight into the implications of their actions when they use a mobile device. A very meaningful quote that best describes this aspect in a few words, is: “For those who target personal bank accounts, mobile malware is cheaper and safer to use than banking trojans.

With the purpose of addressing the importance of mobile security, Figure 1 shows the ever-growing number of Mobile devices across the world, that in 2016, has even surpassed Desktops in terms of connections to the Internet. Enforcing security on mobile devices has never been so crucial: what we’ve seen so far is only the beginning.

Figure 1: Snapshot of worldwide Internet usage through May 2017 (source: StatCounter).
  • Section 2 describes how attackers inject malicious applications or code in users’ devices. The typical goal of attackers is obtaining payment credentials, that could be used later on to commit fraud, or accessing private user data.

Summarizing, a mobile attack consists of three main phases: injection, backdoor installation, data exfiltration.

  • The malware injection phase aims at bringing a malicious application or piece of code to the execution environment in which the attack will be performed.
  • The backdoor installation phase aims at opening a unidirectional or bidirectional connection towards a backend owned by the attacker. Its purpose is to set up a persistent communication channel between the infected device and the malicious agent.
  • The exfiltration phase purpose is to access sensitive information and forward them through the communication channel established in the previous phase.

“Attackers typically aim at compromising confidential user information with the purpose of executing final attacks on other channels.  In order to access private user data, an In order to access private user data, an attacker exploits users’ trust in known sources and users’ risk misperception in performing sensitive actions on mobile devices”.

This approach is used in the injection phase, for example by means of trojans and/or in the data exfiltration phase. Figure 2 shows an example of a bankbot malware sample, Jewel Star Classic distributed through the Google PlayStore. This trojan, created by injecting a malicious payload in a legitimate code, aimed at spoofing the identity of Jewels Star, a quite famous game, according to statistics, with 50 to 100 thousand of legitimate installations. This way, attackers were able to induce users at downloading and installing it. At this point, the injection phase is completed.

Figure 2: The malicious version of Jewel Star in the PlayStore.
  • Section 3 describes how financial malware typically works and provides an overview of the current malware landscape. An extensive analysis of a relevant amount of financial malware samples identifies the six typical behaviours of malware, the malware families and their geographical distribution. Financial cybercriminals are always looking for new ways to exploit users and extract money from them. In these last years, a huge amount of financial malware has been developed which has led to a variety of malware families. However, the most widespread trends are gaining administration privileges and tricking users through overlays. A very representative family that is showing such behaviour and is currently attacking a variety of organizations is Red Alert24.

In addition to its behaviour, another interesting part is the overlay attack mechanism which differs from older families both in terms of implementation and in targets management. In fact, targets are stored onto the attacker’s server and are not sent back to the mobile malware, making the life of an analyst much harder. Cybercriminals are constantly looking for ways to bypass Android’s new protection mechanisms, often using basic, but valid techniques.

Section 4 describes the solution against the ever-growing threat of financial malware, that is a behavioural-based detection mechanism named malware engine. Conventional antivirus programmes that are available in the market often still base their detection on signatures, even if these are more punctual in detection, this type of approach presents many drawbacks and is generally unable to detect unknown malware. In the mobile context, which is drastically dynamic, this is a huge problem.

To verify if a new file is malicious can be complex and time consuming. In many cases the malware has already evolved by then. The delay in identifying new forms of malware makes corporations and consumers vulnerable to serious damage. For this reason, our engine based on behavioural analysis involves machine learning mechanisms and advanced algorithms, modelled and implemented as a result of long-term business intelligence tasks.

The advantages for analysts using this kind of solution can be explained with the following quote: “Malware detection is only the first step. It provides information about the related family along with the detected behaviours, allows an analyst to understand the possible impacts on a final client and then trigger the most suitable mitigation”. 

Figure 3: The worldwide targets distribution maps

Downl oad the report!

*We thank the Global Cyber Security Centre for allowing the reproduction of this article, published in the «GCSEC Newsletter» in April 2018.

Author: Davide Fania, President, XTN

At the beginning, I was an Analyst Programmer, Application Specialist and Project Manager in a wide variety of business applications. Particularly specialized in Production & Planning solutions. Over the past 15 years, I’ve created and led some private organizations that initiated breakthroughs in areas as diverse as computer software for textile, food and biomedical markets. I’m one of the pioneers who created, installed and improved the automation system for specimen processing named WASP (www. I created the LIS (Laboratory Information System) Interface connector Architecture (UIC™ – Universal Interface Connector) necessary to updload and download patient and specimen data from/to Hospital&Laboratories Management Software. I’m the inventor of MALDItrace system (now Colony Picker for WASPLab automated system), a patented equipment created for specimen and organism’s traceability in mass spectrometry.


Other Magazines