Google vs. Banking Bots – The Bots Are Winning

The BankBot trojan is managing to keep Google Engineers on their toes.  The trojan sits, literally, on top of existing banking apps and captures your user name and password.

The initial target was Russian banks.  Then it was “improved” to include UK, Austria, Germany and Turkey.  Who knows what the next version will target.

The creators of this malware have been creative enough to foil Google’s software, called Bouncer, into thinking these are legitimate apps.

A handful of apps have been found that deploy this malware and they have all been taken down – but not before thousands of downloads were made.

BankBot can also steal credentials for Facebook, Youtube, WhatsApp, Uber and other apps.

BankBot can also intercept SMS messages often used in two factor authentication.  THIS is why NIST, has deprecated the use of SMS for two factor authentication.  Too easy to compromise.

In the source article below, there is a list of 424 banking apps that BankBot is targeting.  That is a large number of apps for one piece of malware to target.

One reason we may be seeing this more internationally than in the U.S. is that older versions of Android did not do as good a job of protecting against rogue apps “writing over” legitimate apps on the screen, which is how this malware works.  The user thinks they are typing into the real app because that is what they see, but in reality, the rogue app, sitting on top of the real app is what the user is entering their password into.

This points to another issue.  While Apple is very good about forcing users to upgrade to the current version of iOS, the Android market is fragmented and there is no one company in control.

Within six months of release, Android phones become “obsolete” and companies often stop patching them within a year or two of that release.  Users that continue to use those old Android phones don’t get patches and when those phones are compromised, personal and corporate data on those phones are also compromised.  Silently!

Right now there is a very nasty bit of malware that targets the Broadcom Wi-Fi chip.  It can even work if Wi-Fi is turned off.  Both Apple and Google have patched this in March (Apple) and April (Google), so if you have not installed a major OS upgrade this month, your phone is and will continue to be vulnerable to this attack on the Broadcom Wi-Fi firmware.  This is only one example of a recent attack vector that obsolete phones will remain vulnerable to.

The moral of the story is that companies and individual users of both Android and Apple phones and tablets have to come to grips with the fact that even though those devices still work, if the manufacturer and/or  distributor (like Apple or Verizon) stop supporting those devices, it is time to replace them.  Sorry.  It is a matter of security.  That is no different than the need to upgrade from Windows Vista (which is also not supported), even though it is functioning.  No support = much higher risk of compromise.

In places outside the U.S., old phones running obsolete, non-supported versions of the Android and Apple OSes are commonplace.  As is malware.  And trojans. And security breaches.

This week Apple got caught trying to silently end support for the iPhone 5 in the newest version of their OS.  They changed their mind when they were outed,  but make no mistake – the next version of iOS will likely NOT support the iPhone 5 and at that point, iPhone users are in the same boat as Android users running version 2,3,4 or 5 of the Android OS.

While you may not like this – if you are running one of these unsupported OSes, you either need to figure out if there is an upgrade path, buy a new device (AND DO NOT GIVE THAT OLD DEVICE TO ANYONE – unless, perhaps, you want to give it to someone you really, really don’t like) or stop using that device for anything sensitive like email or online commerce or banking.

Consider yourself warned.

Information for this post came from Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *

*

code