Opening infected email on mobile phone

Risk Management Series: Malware and the Threat to Mobile Banking

An Old Threat Enters a New Era of Financial Crime

Malware, or malicious software, is a catch-all term for any program that’s designed to damage computers, servers, networks or mobile devices. The technology dates back decades — during the 1980s, it circulated on infected floppy disks that targeted Apple and PC users.

In the intervening years, malware techniques and attack vectors have evolved. So too, have the objectives: whereas the first computer virus displayed a short poem on individually infected machines, contemporary malware often targets large, global institutions with an eye to stealing data and money. Techniques are so sophisticated that some types of malware can intercept the one-time password (OTP) used in two-factor authentication (2FA) protections and even trigger a mobile phone screen lock to disguise their operations.

In the previous post of our Risk Management blog series, we covered SIM swapping. In this post, we’re tackling malware — in particular, the mobile malware that threatens the financial services industry.

Mobile Malware: Sizing the Threat

Mobile banking adoption exploded over the past 18 months, as the pandemic shuttered bank branches and shone a spotlight on contactless payments. Unsurprisingly, cybercriminals followed the money. McAfee Mobile Security detected a 141 percent increase in banking trojans — which infect desktop and mobile devices, then capture login details when users access their bank accounts — between Q3 and Q4 2020.

So how does mobile malware infect new devices? It usually starts with phishing: victims are lured into downloading a malicious app that, in many cases, poses as real antivirus software. After the malware has stolen victims’ bank login and OTP information, it reports back to cybercriminals, who impersonate them and drain their accounts.

Mobile malware is evolving constantly, and many newer capabilities are alarming. In addition to stealing victims’ financial login data, it can also uninstall applications, block notifications and prevent uninstallation. Other types of malware can gain super-user privileges that enable them to take full control of the device. Some are pre-installed on low-cost mobile phones.

As mobile malware has grown more sophisticated, the threat it poses has also increased. 2012’s Eurograbber attack, carried out with mobile malware that was adapted from a desktop banking Trojan, is still among the most expensive, costing corporate and private banking customers more than 36 million Euros.

Yet given that 156,710 new mobile banking Trojans were discovered in 2020 alone — twice the previous year’s figure — it is mostly likely a matter of time before another major heist is exposed.

Preventing Malware at Financial Institutions

Malware is one of the greatest threats to mobile banking. Preventing it requires combined action from end-users of digital banking — who must be ever-vigilant about suspicious links and applications — and banks, which have a responsibility to customers to provide the most advanced security measures.

Verifying identity with a limited combination of factors like passwords, OTPs and IP address checks is no longer sufficient to protect digital bank accounts.

Instead, institutions must incorporate fraud solutions like HID Global’s Risk Management Solution, which uses deep behavioral learning to analyze the way users typically interact with their devices (how they navigate websites, how they tap on a phone) and identify anomalous behavior. That way, even if fraudsters get past the login and 2FA stage, their illicit transactions will be flagged even if the malware hasn’t been recognized. Solutions such as HID Global’s Risk Management Solution can help to increase security and meet regulatory requirements without any negative impact on the customer experience.

To learn more about next generation fraud detection based on deep behavioral profiling and machine learning, visit the eBook guide to risk management systems.

Ondrej Valent is a Sales Director of Consumer Authentication within HID Global and has more than a decade of experience in IT Security. Leading the Global Sales Team and Sales strategy. Ondrej has profound technical background and has extensive experience with Financial Institutions, advising on Regulatory initiatives, Operational Risk, Governance and Compliance bringing a wealth of knowledge on how organizations can create greater user experience while meeting their security requirements. Prior to HID Global Ondrej led the sales strategy at FireEye, Gemalto and SafeNet.