Banking Trojan apocalypse: how hackers are stealing millions

Several weeks ago, I received a phone call from my friend who is a business owner and works in the cargo industry. He informed me that US$24,000 had vanished from his bank account during the previous night. The bank customer care team could not assist and suggested that my friend file a report with the police.

The funds were transferred using a mobile app. The transaction was verified via a text message and appeared to be completely legitimate. My entrepreneur friend asked me to help since I have a cyber security background.

However, it was too late to do anything. The hackers used a banking Trojan to steal the money. The rogue app penetrated my friend's smartphone long before the security incident happened.

To prevent similar issues in the future, it is good to understand the tactics and principles utilized by hackers who deploy this type of malware.

The emergence of banking Trojans

Malware that can redirect incoming SMS messages, including those with TAN codes, to hackers has been prevalent for approximately 15 years. There have also been Trojans that utilize USSD commands in order to transfer money from bank cards connected to phones. However, these viruses were not as advanced as their desktop counterparts.

What is Trojan malware?

The first sophisticated banking Trojan for Android devices appeared in 2011. It was the SpyEye banking Trojan that worked in conjunction with SpyEye malware for Windows. This “teamwork” helped malefactors to trick the multi-factor authentication mechanism.

SpyEye operated as follows:

• When the user of an infected Windows system opened a banking website in their browser, malware on the desktop computer would perform a web injection, inserting code into the webpage.
• The modified page displayed a message stating that due to increased cyber threats, the bank has implemented new security measures and the user is required to download a small app (approximately 35 KB) onto their phone for authorization.
• This software piece was the SpyEye banking Trojan, created to intercept incoming SMS and resend them to hackers. Although the bank website address in the browser was correct and the HTTPS connection was established, the injection happened on the user’s side.

This scheme was not perfect as malicious actors needed to synchronize the mobile app and desktop components. However, the creators of SpyEye were able to overcome this issue.

For a few months, SpyEye caused severe concern among users of banking services, but its activity gradually decreased once it was added to most antivirus databases.

The state of banking Trojans today

Eventually, IT professionals at banks gained appropriate programming skills and banking applications migrated from desktops to mobile phones as Android and iPhone apps. This made it easier for malware creators to develop mobile banking Trojans, as they no longer needed to focus on infiltrating Windows systems.

Each owner of a smartphone with a banking app installed is a potential target for banking Trojans that, like other types of malware, often masquerade as useful and popular programs. Developers of banking Trojans do not advertise their malicious capabilities, which usually do not become apparent until later or after an app update.

In one instance, a banking Trojan was disguised as a program that combined multiple client apps for several major banks. Why use multiple apps when you can download just one?

There have also been instances where malicious elements were inserted into modified versions of genuine bank apps. These apps were distributed by fake bank websites that looked exactly like the real ones.

Mobile banking Trojans can also be spread through phishing SMS messages. There are many ways to trick users. For example, malefactors may offer to buy a product from a user registered on a classified ads site. Hackers may gather personal information about the recipient through leaked user data bases, so they are able to address the victim by their name and lower their guard. Potential victims are encouraged to click on a link within the message. Once they do so, they are redirected to an intermediate page that determines their device model and mobile service provider. They are then redirected to a fake page with an MMS message composed using their mobile carrier style. Upon clicking the faux MMS button, the Trojan is downloaded.

Some older mobile banking Trojans were quite basic in their methods. If the malware needed administrator rights to run, it would continually display a window demanding those rights until the harassed user agreed. Today, hackers may use various tactics to deceive potential victims. For example, a banking Trojan may cunningly request admin privileges by showing a Google Play alert saying that the app version is outdated and there is a need to use the latest version. Once the victim clicks "Yes," malware is granted admin privileges.

Another banking Trojan fools victims into activating Accessibility Services that offer special features for people with disabilities. Once given the necessary permissions, the malware gains admin rights. Once inside a device, the Trojan remains in memory, waiting for the mobile banking app to be launched. Upon detecting this event, the Trojan identifies the running app and displays fake login and password forms on top of the real app. The entered data is sent to the hacker's server.

Mobile banking Trojans can contain HTML code for several dozen pages that mimic the interfaces of popular banks. After this, the banking Trojan has to intercept a one-time password sent via SMS. Eventually, it gets access to the bank account. Actual messages sent by banks are hidden from users.

If the Trojan cannot directly access the bank account, it may instead steal bank card details. Sometimes it is done with the help of false windows that ask to add a bank card to Google Play. While anti-fraud systems used by reputable websites make it difficult to make purchases using stolen card details, it is still possible to pay for small items like online games or music on less popular sites that do not thoroughly check payment details.

Inside the mind of a Bankbot

Bankbots are a subcategory of mobile banking Trojans that have the ability to receive and execute various commands on an infected device. These commands can be transmitted through HTTP (in JSON format), SMS or even a Telegram channel. These commands allow the bankbot to disable SMS interception, silence the phone, send messages to specified phone numbers or execute USSD commands. Many bankbots can install additional APK files on a phone, infecting a device with new malware that has much more malicious features.

In addition, most such malicious apps may send SMS history, the entire address book, and other private info to the hacker’s server, as well as redirect incoming calls to a different phone number controlled by criminals. Some bankbots also have self-defense features that attempt to disable security tools like antivirus software. Bankbots often have a web-based admin panel that provides its operators with statistics on infected devices and information obtained from them.

A growing threat

The proliferation of mobile devices has spawned a thriving underground industry for creating banking Trojans. Dark web advertisements offer banking Trojans and other mobile malware strains like spyware and keyloggers for rent. Malefactors offer complete tech and admin support. Dark marketplaces advertise Trojan builders and kits that allow inexperienced criminals to create a Trojan masquerading as a specific bank app. This has led to a sharp increase in the number of banking Trojans and the likelihood of infection. Usually, rogue apps have admin privileges, and it is hard to find and remove them without doing a factory reset.

It is not uncommon for users to download malware from official sources like Google Play, as the technology for checking apps is not foolproof. Besides, Android is known to have numerous vulnerabilities that hackers can exploit.

While mobile security solutions can detect unauthorized app activity, it is the personal decision of each user to install a particular software on their phone.