BankBot Android Banking Malware

Protecting against the BankBot Android banking malware using RASP

Last month the Dutch company Securify came across a new sample of the BankBot Android mobile banking malware. While older samples of BankBot mainly targeted Russian financial institutions, the latest sample shows that BankBot now targets European and American banks as well. More specifically BankBot now targets over 420 leading banks in countries such as Germany, France, Austria, the Netherlands, Turkey and the United States.

VASCO’s Threat Research analysts Ludovic Joly and Ernesto Corral set out to understand how BankBot attacks mobile banking apps, and to verify whether Runtime Application Self-Protection (RASP) technology protects mobile banking apps against BankBot.

How does BankBot steal your credentials?

BankBot is a banking Trojan that poses as an apparently benign application, such as WhatsApp or Runtastic. When the application is installed and run, it asks for administrative privileges. Once these privileges are granted, the icon disappears from the home screen. From that moment, the device is compromised.

BankBot subsequently tries to steal your banking credentials (e.g. username and PIN) and credit card information using a well-known technique called overlay. This means the malware creates a window that mimics the look-and-feel of the targeted mobile banking app, and that aims to trick users into entering their credentials. This overlay window is positioned on top of the target app when the user launches it. As the overlay window is created to look exactly like the target app, users usually believes they are interacting with the genuine mobile banking app.

Protecting against BankBot’s overlay attacks

In order to defend mobile banking apps against overlay attacks, we recommend that they are protected using two techniques, namely Runtime Application Self-Protection (RASP) technology and two-factor authentication functionality.

RASP, which is a term coined by Gartner, protects mobile apps against application-level intrusions, such as overlay attacks. RASP solutions interfere with the banking Trojan’s process to create and display overlays. It is important that financial institutions choose a RASP solution that provides generic overlay protection. This means the RASP solution should not provide protection against specific malware samples (e.g. the latest BankBot sample), but rather against multiple malware families, such as BankBot, svpeng and Marcher. Marcher is one of the most active banking malware families of 2016 according to Kaspersky’s report Financial Cyberthreats in 2016. Good RASP solutions can be generic because our analysis has shown that many malware families use similar techniques to create overlays.

Two-factor authentication technology, on the other hand, ensures that banking credentials stolen via an overlay attack are of little value to a fraudster. Apps protected in this way use two different authentication elements: something the user knows (e.g. the PIN), but also something the user has (i.e. a cryptographic key stored on the mobile device, which is used to generate one-time passwords). While overlay attacks can be used to target the knowledge factor, they cannot attack the possession factor to steal the cryptographic key.

[Read Full Post on VASCO’s Blog…] 

There is power in a Promon partnership. VASCO develops next generation security technologies that enable more than 10,000 customers in 100 countries in financial, enterprise, government, healthcare and other industries. More than half of the top 100 global banks rely on VASCO solutions to protect their online, mobile, and ATM channels. Strategically integrating Promon’s technology, VASCO’s solutions build a trust platform that includes: mobile app security, two-factor authentication, and digital security for all industries.