SlideShare une entreprise Scribd logo

RSA - Behind the scenes of a fake token mobile app operation

J
juan_h

In the last few years, we have seen the mobile space explode with malware. According to a recent report by Trend Micro, the number of malware and high-risk apps available on the Android platform has crossed the one million mark, growing more than a thousand fold in under 3 years.

TechnologieBusiness
1  sur  5
Télécharger pour lire hors ligne
BEHIND THE SCENES OF A FAKE TOKEN MOBILE APP OPERATION December 2013 In the last few years, we have seen the mobile space explode with malware. According to a recent report by Trend Micro, the number of malware and high-risk apps available on the Android platform has crossed the one million mark, growing more than a thousand fold in under 3 years. To the financial industry, the threat manifests itself in the form of rogue apps (apps that mimic the legitimate banking apps) and in the form of SMS-sniffers. The latter becoming standard functionality when it comes to banking Trojans, designed to overcome a single obstacle: out-of-band authentication using mobile devices. By installing a malicious app on the device, the botmaster can intercept SMS messages and/or telephone calls thus defeating the OOB authentication. It is one such app that we recently analyzed. The app, which has been around for a while and uses the moniker mToken, disguises itself as a fake token app (AV classification), and displays “standard” functionality as far as SMS message interception goes. During the installation process, it would ask the user for the necessary SMS-, and communication-related permissions; and to appear legitimate it made use of the customers’ logos, not to mention displaying a “random” token code when launched (a detailed analysis of the app is available below). But the most interesting finding was the analysis of the Web-based control panel. This offered a behind-the-scenes glimpse into a mobile botnet operation and demonstrated the ease of commanding it, but more importantly—its flexibility and resilience. The panel we analyzed was used in attacks targeting several financial institutions around the globe along with a well-known social media platform. At the time of RSA’s analysis, it was commanding over 2,000 mobile devices and had intercepted over 25,000 SMS messages (see Figure 1 on the following page). FRAUD REPORT R S A M O N T H LY F R A U D R E P O R T page 1
Figure 1 Main screen of the control panel. MOBILE APP DEVELOPMENT ON-THE-FLY The panel’s standard functionality provided the fraudster with the ability to review botrelated information, send HTTP-based commands (to the bot), and review the intercepted SMS messages. But the flexibility and resiliency of the operation was apparent when we hit the application builder screen (see Figure 2). Figure 2 Application (APK) builder screen. Built into the control panel was functionality to create custom-looking malicious mobile apps on-the-fly. Asking the botmaster to provide basic app-related information (such as name) and default communication points, it would offer a selection of existing designs or the ability to create new designs using image files and a simple HTML file. In order to build the app, the panel makes use of APKTool, a freeware, command-line tool used to decompile and recompile Android application packages. The tool wraps the HTML and images in a standard Android APK and makes it available to the fraudster for immediate use. ANALYSIS OF A ROGUE APP The delivery method of the app uses basic social engineering techniques to get the user to download and install the malicious app. Once logged into the bank’s website (on the PC), the malware presents additional, custom screens (using HTML-injection) asking the victim to select the mobile device’s operating system (only Android is supported) and the device’s phone number to which the fraudster then sends an SMS message with a link to download the app. R S A M O N T H LY F R A U D R E P O R T page 2
During the installation process, the app requests permissions to communicate via the internet and to gain access to the SMS messages (send and receive). The app then waits for the botmaster to enable the SMS-sniffing function (via the control panel) at which point it begins to intercept all inbound and outbound SMS messages, forwarding them to the drop server. Analysis of the bot’s communication revealed that it would regularly beacon its command and control server receiving updated communication parameters as well as commands to carry out on the device. Commands included enabling (or disabling) SMS-interception and sending SMS messages from the infected device to a third party. This can be used to send SMiShing messages to other devices that will originate from the victim device and possibly allow the botmaster to grow his botnet. SUMMARY The ability to create custom-looking apps, as well as to command the botnet over HTTP and SMS, makes this operation very resilient. Having two separate communication channels (to the bots) means that any take down effort must affect both points simultaneously. Not to mention the PC-based Trojan operation that can be used to re-infect the mobile devices if needed. It is no secret that relying solely on SMS-based out-of-band authentication is not practical. Taking today’s mobile threat landscape into account will require organizations to consider stronger authentication measures to protect the identities and transactions of their customers. R S A M O N T H LY F R A U D R E P O R T page 3
RSA CYBERCRIME STATISTICS DECEMBER 2013 Source: RSA Anti-Fraud Command Center Phishing Attacks per Month RSA identified 42,364 phishing attacks marking a 31% decrease from October’s record setting number. Typically, November sees a slight increase from October, but last month’s spike could indicate cybercriminals are focused on cashing out. 42,364 Attacks US Bank Types Attacked U.S. nationwide banks saw an increase in phishing volume in November and remained the most targeted with 71% of phishing attacks targeted at that sector. Credit Unions Regional National Top Countries by Attack Volume 76% The U.S. remained the most targeted country in November with an overwhelming 76% of total phishing volume, followed by the UK, India and South Africa. 5% 2% R S A M O N T H LY F R A U D R E P O R T UK 4% U.S. India South Africa page 4
Top Countries by Attacked Brands In November, 26% of phishing attacks were targeted at brands in the U.S., followed by the UK, India, France and Brazil. U.S. 26% UK 12% 47% Top Hosting Countries The U.S. continues to host the most phishing attacks, hosting 47% of global phishing attacks in October, followed by Germany, the UK and the Netherlands. 6% 6% 5% GLOBAL PHISHING LOSSES NOVEMBER 2013 CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.emc.com/rsa www.emc.com/rsa ©2013 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective holders. DEC RPT 1213

Recommandé

RSA Monthly Online Fraud Report - June 2013
RSA Monthly Online Fraud Report - June 2013RSA Monthly Online Fraud Report - June 2013
RSA Monthly Online Fraud Report - June 2013EMC
 
HinDroid
HinDroidHinDroid
HinDroidHinDroid
 
2014 Cybercrime Roundup: The Year of the POS Breach
2014 Cybercrime Roundup: The Year of the POS Breach2014 Cybercrime Roundup: The Year of the POS Breach
2014 Cybercrime Roundup: The Year of the POS BreachEMC
 
Security News bytes October 2013
Security News bytes October 2013Security News bytes October 2013
Security News bytes October 2013n|u - The Open Security Community
 
10940 img sytr12_mobile_malware
10940 img sytr12_mobile_malware10940 img sytr12_mobile_malware
10940 img sytr12_mobile_malwareSytelReplyUK
 
14 cyber threats
14 cyber threats14 cyber threats
14 cyber threatsmahesh43211
 
2012 nq mobile_security_report
2012 nq mobile_security_report2012 nq mobile_security_report
2012 nq mobile_security_reportIsnur Rochmad
 
RSA Online Fraud Report - August 2014
RSA Online Fraud Report - August 2014RSA Online Fraud Report - August 2014
RSA Online Fraud Report - August 2014EMC
 

Recommandé

RSA Monthly Online Fraud Report - June 2013
RSA Monthly Online Fraud Report - June 2013RSA Monthly Online Fraud Report - June 2013
RSA Monthly Online Fraud Report - June 2013EMC
 
HinDroid
HinDroidHinDroid
HinDroidHinDroid
 
2014 Cybercrime Roundup: The Year of the POS Breach
2014 Cybercrime Roundup: The Year of the POS Breach2014 Cybercrime Roundup: The Year of the POS Breach
2014 Cybercrime Roundup: The Year of the POS BreachEMC
 
Security News bytes October 2013
Security News bytes October 2013Security News bytes October 2013
Security News bytes October 2013n|u - The Open Security Community
 
10940 img sytr12_mobile_malware
10940 img sytr12_mobile_malware10940 img sytr12_mobile_malware
10940 img sytr12_mobile_malwareSytelReplyUK
 
14 cyber threats
14 cyber threats14 cyber threats
14 cyber threatsmahesh43211
 
2012 nq mobile_security_report
2012 nq mobile_security_report2012 nq mobile_security_report
2012 nq mobile_security_reportIsnur Rochmad
 
RSA Online Fraud Report - August 2014
RSA Online Fraud Report - August 2014RSA Online Fraud Report - August 2014
RSA Online Fraud Report - August 2014EMC
 
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
2014 Threat Detection Checklist: Six ways to tell a criminal from a customerEMC
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attackКомсс Файквэе
 
Online financial fraud infographic
Online financial fraud infographicOnline financial fraud infographic
Online financial fraud infographicPrayukth K V
 
Mobile Threats, Made to Measure
Mobile Threats, Made to MeasureMobile Threats, Made to Measure
Mobile Threats, Made to MeasureLookout
 
FRAppE Detecting Malicious Facebook Applications
FRAppE Detecting Malicious Facebook ApplicationsFRAppE Detecting Malicious Facebook Applications
FRAppE Detecting Malicious Facebook ApplicationsNagamalleswararao Tadikonda
 
Panda labs annual-report-2012
Panda labs annual-report-2012Panda labs annual-report-2012
Panda labs annual-report-2012Комсс Файквэе
 
Biggest Data Breaches of 2013
Biggest Data Breaches of 2013Biggest Data Breaches of 2013
Biggest Data Breaches of 2013Mihajlo Prerad
 
Pocket virus threat
Pocket virus threatPocket virus threat
Pocket virus threatAli J
 
Android security
Android security Android security
Android security Hassan Abutair
 
B intelligence report-08-2013.en-us
B intelligence report-08-2013.en-usB intelligence report-08-2013.en-us
B intelligence report-08-2013.en-usКомсс Файквэе
 
Fr app e detecting malicious facebook applications
Fr app e detecting malicious facebook applicationsFr app e detecting malicious facebook applications
Fr app e detecting malicious facebook applicationsPvrtechnologies Nellore
 
INTSUM
INTSUMINTSUM
INTSUMworldwidebranding
 
Mobile security hakin9_Revista
Mobile security hakin9_RevistaMobile security hakin9_Revista
Mobile security hakin9_Revistathe_ro0t
 
The Evolution of Phising Attacks
The Evolution of Phising AttacksThe Evolution of Phising Attacks
The Evolution of Phising AttacksBee_Ware
 
Fr app e detecting malicious facebook applications
Fr app e detecting malicious facebook applicationsFr app e detecting malicious facebook applications
Fr app e detecting malicious facebook applicationsCloudTechnologies
 
Istr number 23 internet security threat repor 2018 symantec
Istr number 23 internet security threat repor 2018 symantecIstr number 23 internet security threat repor 2018 symantec
Istr number 23 internet security threat repor 2018 symantecSoluciona Facil
 
Mobile Banking and Lurking Security Threats for 2022
Mobile Banking and Lurking Security Threats for 2022Mobile Banking and Lurking Security Threats for 2022
Mobile Banking and Lurking Security Threats for 2022Wultra
 
Enter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox ComparisonEnter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox ComparisonJose Moruno Cadima
 
Wultra: Mobile Application Security
Wultra: Mobile Application SecurityWultra: Mobile Application Security
Wultra: Mobile Application SecurityWultra
 
RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014EMC
 
The Current State of Cybercrime 2014
The Current State of Cybercrime 2014The Current State of Cybercrime 2014
The Current State of Cybercrime 2014EMC
 
Meet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis ReportMeet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis ReportEran Goldstein
 

Contenu connexe

Tendances

2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
2014 Threat Detection Checklist: Six ways to tell a criminal from a customerEMC
 
Online financial fraud infographic
Online financial fraud infographicOnline financial fraud infographic
Online financial fraud infographicPrayukth K V
 
Mobile Threats, Made to Measure
Mobile Threats, Made to MeasureMobile Threats, Made to Measure
Mobile Threats, Made to MeasureLookout
 
FRAppE Detecting Malicious Facebook Applications
FRAppE Detecting Malicious Facebook ApplicationsFRAppE Detecting Malicious Facebook Applications
FRAppE Detecting Malicious Facebook ApplicationsNagamalleswararao Tadikonda
 
Biggest Data Breaches of 2013
Biggest Data Breaches of 2013Biggest Data Breaches of 2013
Biggest Data Breaches of 2013Mihajlo Prerad
 
Pocket virus threat
Pocket virus threatPocket virus threat
Pocket virus threatAli J
 
Fr app e detecting malicious facebook applications
Fr app e detecting malicious facebook applicationsFr app e detecting malicious facebook applications
Fr app e detecting malicious facebook applicationsPvrtechnologies Nellore
 
Mobile security hakin9_Revista
Mobile security hakin9_RevistaMobile security hakin9_Revista
Mobile security hakin9_Revistathe_ro0t
 
The Evolution of Phising Attacks
The Evolution of Phising AttacksThe Evolution of Phising Attacks
The Evolution of Phising AttacksBee_Ware
 
Fr app e detecting malicious facebook applications
Fr app e detecting malicious facebook applicationsFr app e detecting malicious facebook applications
Fr app e detecting malicious facebook applicationsCloudTechnologies
 
Istr number 23 internet security threat repor 2018 symantec
Istr number 23 internet security threat repor 2018 symantecIstr number 23 internet security threat repor 2018 symantec
Istr number 23 internet security threat repor 2018 symantecSoluciona Facil
 
Mobile Banking and Lurking Security Threats for 2022
Mobile Banking and Lurking Security Threats for 2022Mobile Banking and Lurking Security Threats for 2022
Mobile Banking and Lurking Security Threats for 2022Wultra
 
Enter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox ComparisonEnter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox ComparisonJose Moruno Cadima
 
Wultra: Mobile Application Security
Wultra: Mobile Application SecurityWultra: Mobile Application Security
Wultra: Mobile Application SecurityWultra
 

Tendances (19)

2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attack
 
Online financial fraud infographic
Online financial fraud infographicOnline financial fraud infographic
Online financial fraud infographic
 
Mobile Threats, Made to Measure
Mobile Threats, Made to MeasureMobile Threats, Made to Measure
Mobile Threats, Made to Measure
 
FRAppE Detecting Malicious Facebook Applications
FRAppE Detecting Malicious Facebook ApplicationsFRAppE Detecting Malicious Facebook Applications
FRAppE Detecting Malicious Facebook Applications
 
Panda labs annual-report-2012
Panda labs annual-report-2012Panda labs annual-report-2012
Panda labs annual-report-2012
 
Biggest Data Breaches of 2013
Biggest Data Breaches of 2013Biggest Data Breaches of 2013
Biggest Data Breaches of 2013
 
Pocket virus threat
Pocket virus threatPocket virus threat
Pocket virus threat
 
Android security
Android security Android security
Android security
 
B intelligence report-08-2013.en-us
B intelligence report-08-2013.en-usB intelligence report-08-2013.en-us
B intelligence report-08-2013.en-us
 
Fr app e detecting malicious facebook applications
Fr app e detecting malicious facebook applicationsFr app e detecting malicious facebook applications
Fr app e detecting malicious facebook applications
 
INTSUM
INTSUMINTSUM
INTSUM
 
Mobile security hakin9_Revista
Mobile security hakin9_RevistaMobile security hakin9_Revista
Mobile security hakin9_Revista
 
The Evolution of Phising Attacks
The Evolution of Phising AttacksThe Evolution of Phising Attacks
The Evolution of Phising Attacks
 
Fr app e detecting malicious facebook applications
Fr app e detecting malicious facebook applicationsFr app e detecting malicious facebook applications
Fr app e detecting malicious facebook applications
 
Istr number 23 internet security threat repor 2018 symantec
Istr number 23 internet security threat repor 2018 symantecIstr number 23 internet security threat repor 2018 symantec
Istr number 23 internet security threat repor 2018 symantec
 
Mobile Banking and Lurking Security Threats for 2022
Mobile Banking and Lurking Security Threats for 2022Mobile Banking and Lurking Security Threats for 2022
Mobile Banking and Lurking Security Threats for 2022
 
Enter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox ComparisonEnter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox Comparison
 
Wultra: Mobile Application Security
Wultra: Mobile Application SecurityWultra: Mobile Application Security
Wultra: Mobile Application Security
 

Similaire à RSA - Behind the scenes of a fake token mobile app operation

RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014EMC
 
The Current State of Cybercrime 2014
The Current State of Cybercrime 2014The Current State of Cybercrime 2014
The Current State of Cybercrime 2014EMC
 
Meet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis ReportMeet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis ReportEran Goldstein
 
The Current State of Cybercrime 2013
The Current State of Cybercrime 2013The Current State of Cybercrime 2013
The Current State of Cybercrime 2013EMC
 
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...Denis Gorchakov
 
Review on mobile threats and detection techniques
Review on mobile threats and detection techniquesReview on mobile threats and detection techniques
Review on mobile threats and detection techniquesijdpsjournal
 
Report of android hacking
Report of android hackingReport of android hacking
Report of android hackingdiv2345
 
MALWARE DETECTION TECHNIQUES FOR MOBILE DEVICES
MALWARE DETECTION TECHNIQUES FOR MOBILE DEVICESMALWARE DETECTION TECHNIQUES FOR MOBILE DEVICES
MALWARE DETECTION TECHNIQUES FOR MOBILE DEVICESijmnct
 
Malware detection techniques for mobile devices
Malware detection techniques for mobile devicesMalware detection techniques for mobile devices
Malware detection techniques for mobile devicesijmnct
 
Security News Bytes March 2020
Security News Bytes March 2020Security News Bytes March 2020
Security News Bytes March 2020Hiren Sadhwani
 
RSA Monthly Online Fraud Report -- December 2014
RSA Monthly Online Fraud Report -- December 2014RSA Monthly Online Fraud Report -- December 2014
RSA Monthly Online Fraud Report -- December 2014EMC
 
“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”iosrjce
 
IRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET Journal
 
H1 2011 E-Threat Landscape Report
H1 2011 E-Threat Landscape ReportH1 2011 E-Threat Landscape Report
H1 2011 E-Threat Landscape ReportBitdefender
 
Discuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docxDiscuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docxbkbk37
 
Discuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docxDiscuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docxwrite12
 
A Study on Modern Methods for Detecting Mobile Malware
A Study on Modern Methods for Detecting Mobile MalwareA Study on Modern Methods for Detecting Mobile Malware
A Study on Modern Methods for Detecting Mobile MalwareIRJET Journal
 

Similaire à RSA - Behind the scenes of a fake token mobile app operation (20)

RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014
 
The Current State of Cybercrime 2014
The Current State of Cybercrime 2014The Current State of Cybercrime 2014
The Current State of Cybercrime 2014
 
Meet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis ReportMeet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis Report
 
Rpt repeating-history
Rpt repeating-historyRpt repeating-history
Rpt repeating-history
 
The Current State of Cybercrime 2013
The Current State of Cybercrime 2013The Current State of Cybercrime 2013
The Current State of Cybercrime 2013
 
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...
 
Review on mobile threats and detection techniques
Review on mobile threats and detection techniquesReview on mobile threats and detection techniques
Review on mobile threats and detection techniques
 
Report of android hacking
Report of android hackingReport of android hacking
Report of android hacking
 
MALWARE DETECTION TECHNIQUES FOR MOBILE DEVICES
MALWARE DETECTION TECHNIQUES FOR MOBILE DEVICESMALWARE DETECTION TECHNIQUES FOR MOBILE DEVICES
MALWARE DETECTION TECHNIQUES FOR MOBILE DEVICES
 
Malware detection techniques for mobile devices
Malware detection techniques for mobile devicesMalware detection techniques for mobile devices
Malware detection techniques for mobile devices
 
News Bytes
News BytesNews Bytes
News Bytes
 
Security News Bytes March 2020
Security News Bytes March 2020Security News Bytes March 2020
Security News Bytes March 2020
 
RSA Monthly Online Fraud Report -- December 2014
RSA Monthly Online Fraud Report -- December 2014RSA Monthly Online Fraud Report -- December 2014
RSA Monthly Online Fraud Report -- December 2014
 
“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”
 
P01761113118
P01761113118P01761113118
P01761113118
 
IRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection Methods
 
H1 2011 E-Threat Landscape Report
H1 2011 E-Threat Landscape ReportH1 2011 E-Threat Landscape Report
H1 2011 E-Threat Landscape Report
 
Discuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docxDiscuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docx
 
Discuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docxDiscuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docx
 
A Study on Modern Methods for Detecting Mobile Malware
A Study on Modern Methods for Detecting Mobile MalwareA Study on Modern Methods for Detecting Mobile Malware
A Study on Modern Methods for Detecting Mobile Malware
 

Dernier

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Dernier (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

RSA - Behind the scenes of a fake token mobile app operation

  • 1. BEHIND THE SCENES OF A FAKE TOKEN MOBILE APP OPERATION December 2013 In the last few years, we have seen the mobile space explode with malware. According to a recent report by Trend Micro, the number of malware and high-risk apps available on the Android platform has crossed the one million mark, growing more than a thousand fold in under 3 years. To the financial industry, the threat manifests itself in the form of rogue apps (apps that mimic the legitimate banking apps) and in the form of SMS-sniffers. The latter becoming standard functionality when it comes to banking Trojans, designed to overcome a single obstacle: out-of-band authentication using mobile devices. By installing a malicious app on the device, the botmaster can intercept SMS messages and/or telephone calls thus defeating the OOB authentication. It is one such app that we recently analyzed. The app, which has been around for a while and uses the moniker mToken, disguises itself as a fake token app (AV classification), and displays “standard” functionality as far as SMS message interception goes. During the installation process, it would ask the user for the necessary SMS-, and communication-related permissions; and to appear legitimate it made use of the customers’ logos, not to mention displaying a “random” token code when launched (a detailed analysis of the app is available below). But the most interesting finding was the analysis of the Web-based control panel. This offered a behind-the-scenes glimpse into a mobile botnet operation and demonstrated the ease of commanding it, but more importantly—its flexibility and resilience. The panel we analyzed was used in attacks targeting several financial institutions around the globe along with a well-known social media platform. At the time of RSA’s analysis, it was commanding over 2,000 mobile devices and had intercepted over 25,000 SMS messages (see Figure 1 on the following page). FRAUD REPORT R S A M O N T H LY F R A U D R E P O R T page 1
  • 2. Figure 1 Main screen of the control panel. MOBILE APP DEVELOPMENT ON-THE-FLY The panel’s standard functionality provided the fraudster with the ability to review botrelated information, send HTTP-based commands (to the bot), and review the intercepted SMS messages. But the flexibility and resiliency of the operation was apparent when we hit the application builder screen (see Figure 2). Figure 2 Application (APK) builder screen. Built into the control panel was functionality to create custom-looking malicious mobile apps on-the-fly. Asking the botmaster to provide basic app-related information (such as name) and default communication points, it would offer a selection of existing designs or the ability to create new designs using image files and a simple HTML file. In order to build the app, the panel makes use of APKTool, a freeware, command-line tool used to decompile and recompile Android application packages. The tool wraps the HTML and images in a standard Android APK and makes it available to the fraudster for immediate use. ANALYSIS OF A ROGUE APP The delivery method of the app uses basic social engineering techniques to get the user to download and install the malicious app. Once logged into the bank’s website (on the PC), the malware presents additional, custom screens (using HTML-injection) asking the victim to select the mobile device’s operating system (only Android is supported) and the device’s phone number to which the fraudster then sends an SMS message with a link to download the app. R S A M O N T H LY F R A U D R E P O R T page 2
  • 3. During the installation process, the app requests permissions to communicate via the internet and to gain access to the SMS messages (send and receive). The app then waits for the botmaster to enable the SMS-sniffing function (via the control panel) at which point it begins to intercept all inbound and outbound SMS messages, forwarding them to the drop server. Analysis of the bot’s communication revealed that it would regularly beacon its command and control server receiving updated communication parameters as well as commands to carry out on the device. Commands included enabling (or disabling) SMS-interception and sending SMS messages from the infected device to a third party. This can be used to send SMiShing messages to other devices that will originate from the victim device and possibly allow the botmaster to grow his botnet. SUMMARY The ability to create custom-looking apps, as well as to command the botnet over HTTP and SMS, makes this operation very resilient. Having two separate communication channels (to the bots) means that any take down effort must affect both points simultaneously. Not to mention the PC-based Trojan operation that can be used to re-infect the mobile devices if needed. It is no secret that relying solely on SMS-based out-of-band authentication is not practical. Taking today’s mobile threat landscape into account will require organizations to consider stronger authentication measures to protect the identities and transactions of their customers. R S A M O N T H LY F R A U D R E P O R T page 3
  • 4. RSA CYBERCRIME STATISTICS DECEMBER 2013 Source: RSA Anti-Fraud Command Center Phishing Attacks per Month RSA identified 42,364 phishing attacks marking a 31% decrease from October’s record setting number. Typically, November sees a slight increase from October, but last month’s spike could indicate cybercriminals are focused on cashing out. 42,364 Attacks US Bank Types Attacked U.S. nationwide banks saw an increase in phishing volume in November and remained the most targeted with 71% of phishing attacks targeted at that sector. Credit Unions Regional National Top Countries by Attack Volume 76% The U.S. remained the most targeted country in November with an overwhelming 76% of total phishing volume, followed by the UK, India and South Africa. 5% 2% R S A M O N T H LY F R A U D R E P O R T UK 4% U.S. India South Africa page 4
  • 5. Top Countries by Attacked Brands In November, 26% of phishing attacks were targeted at brands in the U.S., followed by the UK, India, France and Brazil. U.S. 26% UK 12% 47% Top Hosting Countries The U.S. continues to host the most phishing attacks, hosting 47% of global phishing attacks in October, followed by Germany, the UK and the Netherlands. 6% 6% 5% GLOBAL PHISHING LOSSES NOVEMBER 2013 CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.emc.com/rsa www.emc.com/rsa ©2013 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective holders. DEC RPT 1213