Connect with us

Hi, what are you looking for?

Tech & Science

Major Android bug discovered targeting banking apps (Includes interview)

The new vulnerability allows real-life malware to pose as legitimate apps with users unaware they’re being targeted, granting hackers access to all kinds of personal information, including SMS, photos, geolocations, contacts and phone logs.

In addition, some examples of malware attacking the vulnerability are variants of the notorious Bankbot Trojan, evidence that attackers are aware of the vulnerability and are actively exploiting it to steal banking credentials and money.

BankBot is a remotely controlled Android banking trojan capable of harvesting banking details using phony login forms for a number of apps, intercepting text messages in order to bypass 2-factor-authentication, and displaying unsolicited push notifications.

To discover more, Digital Journal caught up with Sam Bakken, Senior Product Marketing Manager, OneSpan. Sam is an expert on the mobile security landscape and OneSpan develop security and anti-fraud solutions.

Bakken begins by describing the new threat: “Promon, discovered malware in the wild that allows an attacker to gain access to a user’s SMS messages, photos, geolocation, contacts, phone logs, camera and microphone. In addition, the malware exploited the vulnerability to overlay a counterfeit log-in page over a legitimate app, unbeknownst to the user, and send any credentials the user enters straight to an attacker.”

Bakken goes on to look at the risks presented: “As you might imagine, criminals salivate over the monetization potential in stolen mobile banking credentials and access to one-time-passwords sent via SMS. Promon’s recent findings make the vulnerability as severe as it’s ever been.”

The time that the new threat has been around for is considerable, Bakken notes: ” Consumers and app developers alike were exposed to various types of fraud as a result for four years. In addition, now, at least 36 examples of malware attacking the vulnerability as far back as 2017 have been identified—some being variants of the notorious Bankbot Trojan. This goes to show you that attackers are aware of the vulnerability and actively exploiting it to steal banking credentials and money.”

All is not doom and gloom, according to Bakken: “Luckily, app developers can take action to protect their apps and us users. Various mobile app security technologies under the umbrella of in-app protection, including app shielding and runtime protection make it easier for app developers to mitigate these windows of exposure resulting from security issues in both Android and iOS. The industry analyst firm Gartner forecasts that by 2022, at least 50% of successful attacks against clickjacking and mobile apps could have been prevented using in-app protection.” –

Avatar photo
Written By

Dr. Tim Sandle is Digital Journal's Editor-at-Large for science news. Tim specializes in science, technology, environmental, business, and health journalism. He is additionally a practising microbiologist; and an author. He is also interested in history, politics and current affairs.

You may also like:

World

Immigration is a symptom of a much deeper worldwide problem.

Entertainment

The Swedish city of Malmo is preparing to host the Eurovision Song Contest in early May under high security.

Business

Traveling in NY is already costly, but it just got worse: transit authorities have approved a controversial $15 toll, set to take effect in...

Tech & Science

A look at the sector that could help annually boost the global economy by $1 trillion