An Old Threat Enters a New Era of Financial Crime

Malware, or malicious software, is a catch-all term for any program that’s designed to damage computers, servers, networks or mobile devices. The technology dates back decades — during the 1980s, it circulated on infected floppy disks that targeted Apple and PC users.

In the intervening years, malware techniques and attack vectors have evolved. So too, have the objectives: whereas the first computer virus displayed a short poem on individually infected machines, contemporary malware often targets large, global institutions with an eye to stealing data and money. Techniques are so sophisticated that some types of malware can intercept the one-time password (OTP) used in two-factor authentication (2FA) protections and even trigger a mobile phone screen lock to disguise their operations.

In the previous post of our Risk Management blog series, we covered SIM swapping. In this post, we’re tackling malware — in particular, the mobile malware that threatens the financial services industry.

Mobile Malware: Sizing the Threat

Mobile banking adoption exploded over the past 18 months, as the pandemic shuttered bank branches and shone a spotlight on contactless payments. Unsurprisingly, cybercriminals followed the money. McAfee Mobile Security detected a 141 percent increase in banking trojans — which infect desktop and mobile devices, then capture login details when users access their bank accounts — between Q3 and Q4 2020.

So how does mobile malware infect new devices? It usually starts with phishing: victims are lured into downloading a malicious app that, in many cases, poses as real antivirus software. After the malware has stolen victims’ bank login and OTP information, it reports back to cybercriminals, who impersonate them and drain their accounts.

Mobile malware is evolving constantly, and many newer capabilities are alarming. In addition to stealing victims’ financial login data, it can also uninstall applications, block notifications and prevent uninstallation. Other types of malware can gain super-user privileges that enable them to take full control of the device. Some are pre-installed on low-cost mobile phones.

As mobile malware has grown more sophisticated, the threat it poses has also increased. 2012’s Eurograbber attack, carried out with mobile malware that was adapted from a desktop banking Trojan, is still among the most expensive, costing corporate and private banking customers more than 36 million Euros.

Yet given that 156,710 new mobile banking Trojans were discovered in 2020 alone — twice the previous year’s figure — it is mostly likely a matter of time before another major heist is exposed.

Preventing Malware at Financial Institutions

Malware is one of the greatest threats to mobile banking. Preventing it requires combined action from end-users of digital banking — who must be ever-vigilant about suspicious links and applications — and banks, which have a responsibility to customers to provide the most advanced security measures.

Verifying identity with a limited combination of factors like passwords, OTPs and IP address checks is no longer sufficient to protect digital bank accounts.

Instead, institutions must incorporate fraud solutions like HID Global’s Risk Management Solution, which uses deep behavioral learning to analyze the way users typically interact with their devices (how they navigate websites, how they tap on a phone) and identify anomalous behavior. That way, even if fraudsters get past the login and 2FA stage, their illicit transactions will be flagged even if the malware hasn’t been recognized. Solutions such as HID Global’s Risk Management Solution can help to increase security and meet regulatory requirements without any negative impact on the customer experience.