[SingCERT] Malware Targeting Mobile Banking

Published on Tuesday, 15 December 2015 11:33

Joint advisory by Cyber Security Agency and Infocomm Development Authority of Singapore

[ Background ]

The Association of Banks in Singapore (ABS) released an advisory on 1st December 2015, alerting consumers about the recent malware infection on Android smartphones used by mobile banking customers. It is noted that about 50 such incidents have been reported and the victims are predominantly customers of major banks in Singapore.

[ Malware Description ]

The malware is downloaded when the user clicks on a malicious URL or has installed an application from untrusted sources. The malware disguises itself as a legitimate application such as Adobe Flash Player (which is misspelt as “Abode”) and tricks users into allowing it to be installed into the smartphone. Upon installation, the malware can access sensitive information such as user credentials and personal particulars. The malware affects Android users using Android version 2.3 and above.

Users should lookout for indicators where the malware is disguising as a legitimate application and seeking permissions circled in RED:

(Screenshots of the malware disguising itself as Adobe Flash Player)

[ Impact ]

  • The malware disguises itself as banking applications to steal user credentials such as credit card details and PayPal information.

    (Screenshots of malware disguised as mobile banking application
    Credit: Fortinet (http://blog.fortinet.com/post/fake-android-flash-player-hits-global-financial-institutions)

  • The malware also harvests personal particulars such as identification numbers and details of the smartphone. It will also have access to the information contained by the applications such as Gmail.

[ Suggested Actions for Removing the Malware ]

  1. Users may adopt the following steps to remove the malware:
    1. Reboot the malware-infected smartphone to Safe Mode.
    2. Access the Device Administration Settings (Settings > Security > Device administrators) and locate the malware.
    3. Uncheck the box next to the name of the malware. On the next screen, select "Deactivate".
    4. Access Apps Settings (Settings > Apps) and locate the malware and select "Uninstall".
    5. Reboot your smartphone normally and visually check for any unusual activities.
    6. Scan your smartphone with an antivirus or anti-malware application.
  2. Alternatively, users could:
    1. Seek professional assistance from an authorised vendor/service provider, or
    2. Do a factory reset on their phone (Settings > Backup & reset > Factory Data Reset). Please note that performing a factory reset will erase all your phone data.

[ Prevention ]

  • Install a security software for protection
    • Install an antivirus or anti-malware software on your smartphone to detect and prevent known malicious software from being installed.

  • Install software from trusted sources
    • Android users should install apps only from trusted sources such as Google Play.
    • Disable the installation of apps from unknown sources (Settings > Security > the slider for “Unknown sources” should be in grey).

  • Remain vigilant at all times
    • Be wary of unsolicited messages and pop-up application dialogs.
    • Watch out for misspellings, bad grammar and/or bad punctuation, which could be further indication that the message or dialog is from a malicious source.
    • Avoid clicking on the links or buttons on such messages or dialogs.
    • Verify that the mobile banking application page is genuine first before keying in the user login credentials (for example, try clicking on the Menu and subpages to verify their functionalities).
    • Check that there are no other active pop-ups when accessing the mobile banking application.
    • Do not open suspicious links from messages and emails.
    • Do not root/jailbreak your smartphone as this could compromise your smartphone security.

[ References ]

http://www.dbs.com.sg/personal/deposits/security-and-you/default.page (Mobile Malware Alert, published on 4 November 2015)