11 Jul 2012

Shady Mobile Banking App Plays Man-in-the-Mobile


Mobile banking users from Spain, Portugal, the Netherlands and Germany have been hit by a wave of Man-in-the-Mobile attacks that seek to move funds from one account to another.

The attack seems based on advanced financial malware such as the notorious SpyEye and Tatanga, two e-threats that can manipulate banking accounts to hijack transactions and hide the missing money from the account holder. This time, the Trojans use web injects to add code in the browsers of Windows users in order to trick them install an alleged mobile banking application. These prompts show up when visiting the financial institution’s web page, so the request to install the mobile app looks legit.

To install the alleged banking application, the victim needs to pick an application for a choice of operating systems (iOS, BlackBerry, Android and Symbian). Whatever the choice, the website only offers an Android package. Users who opt for an application for iOS, BlackBerry, or Symbian won’t get anything, as the attackers presumably have not yet managed to port this functionality to other platforms yet.

According to Amit Klein, CTO of Trusteer, a company that specializes in securing financial transactions, the installed application starts intercepting SMS messages on the lookout for transaction authorization numbers (TAN), the final authentication factor that allows crooks to illegally move funds from the victim’s account.

This incident reminds the user once again about the need to install security software not only on their PCs, but also on mobile devices they may use to access the web.