By: Anna Rozehnalová, Director of Customer Success, Silobreaker
The convenient and time-saving nature of mobile banking continues to make mobile devices an attractive target for cybercriminals. With more users relying on mobile banking for personal finance management, banks are enhancing their experience by incorporating features such as budgeting tools, AI-driven spending analysis, and instant loan approvals.
Android banking malware
With several sources stating that Android constitutes up to 70% of the mobile market share worldwide, it is understandable why threat actors are crafting intricate campaigns targeting these devices and tricking users by posing as legitimate-looking apps to gain further permissions and steal sensitive data, Specifically, four prominent campaigns from this year will be summarised, with each demonstrating the continued evolution of this threat.
NGate
In late 2023, a malicious campaign, dubbed NGate, emerged targeting customers of three major Czech banks and exploiting Near Field Communication (NFC) to steal sensitive payment card data.
The attack started with phishing campaigns that involved deceptive SMS messages and automated calls informing victims that their accounts were involved in a security incident. They were asked to download a mobile app to verify their existing payment card data and PIN. Once installed, the app, which was disguised as a legitimate banking app, relayed NFC data from victims’ Android devices to the attacker’s device. The stolen data was saved as a virtual card, allowing attackers to emulate the stolen cards and conduct unauthorised transactions on ATMs that use NFC for withdrawals.
Six distinct NGate apps targeting bank customers were identified before the campaign was halted following the arrest of the perpetrator in March 2024. The number of affected individuals remains unknown.
SpyAgent
In September 2024, McAfee researchers reported on campaigns delivering a new Android mobile malware named SpyAgent via fake apps. Over 280 fake apps have been detected in South Korea since early 2024, with recent campaigns affecting users in the UK.
Users were targeted with phishing messages, spread through text messages and social media, that would redirect them to websites that then lured them into downloading a seemingly legitimate app. These apps masqueraded as legitimate banking, government services, utilities or TV streaming apps. Once installed, victims were asked to grant the app permissions to access sensitive data including SMS messages, contact lists and storage.
It seems the primary focus of SpyAgent is to steal cryptocurrency wallet mnemonic keys, suggesting its ultimate motive is to steal victims’ cryptocurrency wallet funds. The malware also uses endless loading screens, unexpected redirects and blank screens to distract its victims while it steals data in the background. The researchers at McAfee also found evidence that the perpetrators are working on an iOS variant of SpyAgent.
Gigabud
Researchers at Zimperium recently reported on a newly identified link between Gigabud and Spynote, two Android trojans designed to steal sensitive data from victims. The malware variants were observed being distributed via phishing campaigns impersonating airline apps, banking apps, or government tax entities. Targets included users in Thailand, Vietnam, Bangladesh, Indonesia, Mexico, South Africa and Ethiopia.
This report follows past research by Cyble, who identified connections between Gigabud and the Golddigger Android banking trojan. Group-IB previously found links between Gigabud and a new sophisticated iOS banking trojan named GoldPickaxe. All three malware have been attributed to a single threat actor, dubbed GoldFactory, which has been active mainly in the Asia-Pacific region and is believed to be a Chinese-speaking cybercrime group.
Gigabud’s similarities with numerous Android banking malware variants, as well as iOS banking malware, indicate not only the threat actor’s high level of sophistication, but also serve as a prime example of the potential that threat actors operating within the banking malware sphere can have.
Securing mobile banking by staying ahead of emerging threats
These campaigns demonstrate the continually evolving and changing nature of threats targeting mobile banking devices. Despite varying levels of technical sophistication, resource availability and primary targets, they each contribute to the ever-changing threat landscape banking organisations are faced with. Threat actors are constantly adapting their techniques to trick users, bypass security measures and steal sensitive financial data.
As these tactics grow more complex, it’s essential for financial institutions to keep up with emerging threats to better protect their assets and maintain the trust and confidence of their customers. Threat intelligence plays a crucial role in this effort, enabling organisations to stay informed about new malware trends and tactics. By proactively monitoring these developments, financial firms can strengthen their defences, adapt to evolving cyber risks, and maintain a secure environment for mobile banking users.
