Lookout Life
Threat Intelligence

January 25, 2016

min read

4 New Threats to Banking Apps That Show App Hardening's Importance

Four recently uncovered threats targeting banking apps shine new light on why all apps that handle sensitive data need to be secured from the inside out.

The threats

The threats all target phones running banking applications with the intention of stealing login information or other personal data associated with a victim’s finances. Arguably one of the most concerning pieces of malware is the recently publicized Slembunk, which reportedly can monitor the processes running on a device and detect when a banking app is launched. If such an action occurs, the malware puts a fake UI on top of the legitimate app and steals the data the victim inputs.  

Another piece of malware called Asacub, once spyware, recently evolved to target a number of banks and their customers, using their logos in phishing screens presented by the malware.

Similarly, Marchcaban targets users of PayPal. Once installed on a device, Marchcaban detects the legitimate PayPal app and then layers itself on top of the app’s user interface, thereby collecting any data the user inputs into what he believes is the actual PayPal app.

Recently, the Association of Banks in Singapore released an alert highlighting the concern around malware targeting mobile banking users’ devices. Specifically, the organization highlighted a piece of malware pretending to be an update to the popular messaging app WhatsApp. When victims fell for the spoofed update, they instead would end up with a piece of malware on their Android device that attempted to phish their credit card information and other private credentials.

The trend is a real one for financial institutions among any other industry that handles sensitive data over mobile applications. Cybercriminals are targeting devices with these sensitive apps, especially when the data stolen can help a criminal commit fraud.

Why we need app hardening

“IT leaders must focus on detecting and responding to threats, as well as more traditional blocking and other measures to prevent attacks. Application self-protection, as well as user and entity behavior analytics, will help fulfill the adaptive security architecture,” Gartner states in its 10 strategic technology trends for 2016, as referenced by IT Business Edge.

Enterprise app developers must factor in “application self-protection,” this idea that an app can protect itself from the inside.

Traditionally “app hardening” has been regarded as making an app “tamper proof,” but we believe this should be extended to consider protection against risky environments. Apps are distributed, a developer would hope, to thousands and millions of devices, but it’s not guaranteed that those devices are “safe environments,” running security software. By introducing security services into the application development process, a company’s app effectively brings its security with it wherever it goes.

Apps packed with self-protection would be able to alert their administrators that a malicious process was running on the device, and remediation techniques could be employed, or better still, built into the applications themselves.

Mobile malware is here; app hardening must follow

“ABS would like to remind mobile banking customers that smartphones are as susceptible to malware as desktop computers or laptops,” explained Mrs Ong-Ang Ai Boon, Director of ABS, in the December alert.

As mobile banking, among other sensitive industries, becomes more ubiquitous, app developers will become more accountable to the security inside their apps. Emerging app hardening technology will undoubtedly be able to assist developers and protect enterprises and institutions from leaving the door to fraud unlocked in their mobile apps.

Interested in getting more information about why mobile security matters in this changing mobile-first world? Check out these answers to top five questions CSOs and CIOs ask about mobile security.