Recently, Promon discovered a new strain of Android banking malware named 'Fjordphantom.' They published an analysis of the mobile malware and a report that evaluated a sample of banking apps that could be vulnerable to the malware. Both of these resources provide us with interesting insights and reveal important security topics that are worth discussing.
The ProMon analysis discusses how the malware spreads, stating that "fjordphantom is primarily spread through email, text messaging, and messaging apps." The user is prompted for an app that is similar to their bank's own app. Actually, the app contains an android app for a real bank, but it runs in a virtual environment with add-ons that can carry out attacks on the app. ”
Keep this in mind about running in a virtual environment – this is an important point that we'll be coming back to soon.
The next stage of the attack involves social engineering. Promon's analysis concludes that "*, users are subject to social engineering attacks. Typically, this is supported by the call center's attack team. They claim to be the bank's customer service staff, guiding customers through the steps to run the app. The malware enables attackers to track the user's actions, leading them to perform transactions or using the process to steal credentials. They can use these credentials for additional attacks. ”
We have two different types of social engineering here. The first favors the installation of malware, while the second favors the attacker's goal of committing fraud by executing transactions and stealing credentials from the victim's bank account. In order to understand how it works, we need to go back to the problem of operating in a virtual environment.
On Android, there is a security feature that does not allow apps to view information from other apps, with one exception. The exception to this is when these applications are running in the same virtual environment – and the Fjordphantom Malware takes advantage of this. So why does Android allow this feature?
Promon Analytics explains, "Virtualization solutions allow applications to be installed and run in virtual containers. In recent years, they have become very popular on Android. There are valid reasons to use such solutions, and Google accepts them because many of these apps are available from the Google Play Store**. A common reason to use these solutions is to be able to install the same app multiple times to log them in with different accounts. This is often not possible on Android. ”
In light of all this, it's worth taking a step back and recognizing what's happening here at a higher level. First, by tricking a user** into installing a malicious app, attackers can avoid certain "prompts" that indicate that the app was installed incorrectly. Second, by running in a virtual environment, malicious applications can influence, manipulate, and steal data from legitimate applications without the need for an operating system ban. Third, by using out-of-band social engineering in the next stage of the attack, the attacker ensures that the legitimate user and the legitimate device are the ones performing the transaction. This allows attackers to avoid certain "tells" that would tell the banking app about potential fraud and/or abuse.
So what does this mean for us security professionals? Unfortunately for us, this means that we need to combine the perspectives of client-side and server-side detection in order to have the best chance of mitigating the risk of mobile malware like fjordphantom. We need to take a multi-pronged approach to ensure the greatest opportunity to defend our business. Attackers are constantly innovating and looking for ways to bypass our defenses, and a single point of failure on defense is simply not an option.
In addition, Promon's research and analysis determined that 80% of the 113 top global banking apps they tested were vulnerable to fjordphantom. Unfortunately, this malware's ability to evade native client-side Android protection, as well as server-side protection, is a weakness for many businesses. Mobile app protection is undoubtedly important. But it's much more powerful when it complements existing application protections and defenses to round out the overall security posture.
As with many topics in security, defense-in-depth improves our ability to mitigate the risks that mobile malware poses to businesses. While it may be tempting to consider one angle or one approach when seeking to mitigate a given risk, thinking from multiple perspectives often results in better value for security teams and the business. One thing worth noting, though, is that threats like fjordphantom could become a regular part of the threat landscape.