In September 2011, we reported the first SpyEye-in-the-mobile (SPitMo) attack targeting banking customers on the Android platform. Recently, we discovered the first Tatanga-based man-in-the-mobile (MitMo) attack, as well as new SPitMo configurations that are targeting Android mobile banking users in Germany, the Netherlands, Portugal and Spain. With nearly 60 percent of the market and a reputation for weak app security, it’s no surprise that Android has become the preferred target for financial malware.

How Man-in-the-Mobile Works

Like previous attacks, both the SPitMo and Tatanga MitMo variants target Windows users on the Web and use a webinjection in the desktop browser to lure them into installing a fake security application on their phones. The fraudsters claim this application is required by the bank as a new layer of protection and that 15 million bank customers around the world are already using it. The victims are asked to choose the device’s operating system from the following list:

  • iOS (iPhone)
  • BlackBerry
  • Android (Samsung, HTC, etc.)
  • Symbian (Nokia)
  • Other

In most attacks, if the victim is using an operating system other than Android, the malware informs the user that no further action is required. For Android users, however, the desktop component of the MitMo attack requests victims’ phone numbers and notifies them that a link for downloading the security application has been sent via SMS to their mobile device. Users are directed to install the fake application from this link and enter the activation code provided by the malware. Certain attacks also request that BlackBerry users download the application, but it does not actually install on those devices.

Once installed, the mobile malware captures all SMS traffic, including transaction authorization codes sent by the bank to the victim, and forwards them to the fraudsters. This enables the criminals to initiate fraudulent transfers and capture the security codes needed to bypass the SMS-based out-of-band authorization systems used by many European banks.

The attackers use different social engineering tricks in each country to lure victims into downloading the fake application, including URLs with the words “secure” and “Android files” with a .com domain name. IBM investigated the registration information for these URLs, which were located in China and the United States. They were registered in June just prior to the initial attacks. All URLs are inactive at the moment. Both Tatanga and SpyEye use the same Android application in this attack.

Old Techniques, New Channel: Mobile Malware Adapting PC Threat Techniques

Spanish Bank Customer Attacks

In the attack on Spanish banks, the victims are asked to download the security application from a link in an SMS sent to their mobile phones. Here is a screen capture of the message displayed to the victims during their online banking session:

The message mentions that the bank has taken steps to protect its customers against attacks on mobile devices and requires the user to install the application. The malware then asks Android users to submit a code they receive with the text message to activate the application.

BlackBerry users are notified that the security application has been installed successfully, although it only installs on Android devices.

Victims who use other mobile operating systems are notified that their device does not require this special security measure.

German Bank Customer Attacks

In the German attacks, criminals lure victims into downloading the fake application by claiming the bank has developed special security measures in cooperation with Oracle. As mentioned above, the fraudsters claim that more than 15 million bank customers around the world already use the system.

Android users are asked to download the security application from a link sent by the malware via SMS and to submit the activation code on the bank’s spoofed Web page.

As in the Spanish attack, BlackBerry users are notified that the application was successfully installed and that they are protected, although no installation actually takes place.

Meanwhile, victims that use other mobile operating systems are notified that their device does not require any additional security.

The Focus on Android

This discovery confirms that Man in the Mobile (MitMo) attacks are focusing primarily on Android devices. Multiple studies show that Android devices account for more than 60 percent of the smartphone market in the targeted countries (Spain, Portugal, Germany and the Netherlands). Android popularity and the relative ease of developing and distributing Android applications are probably the reasons why cyber criminals have singled out this particular platform for mobile malware attacks. Once fraudsters have infected a victim’s Web and mobile endpoints, very few security mechanisms can prevent fraud from occurring.

Today, criminals are compromising Android devices to circumvent out-of-band security mechanisms that send SMS messages to authorize both Web and mobile banking transactions. Going forward, we expect criminals to expand their attack tactics on mobile devices to mimic desktop attack techniques, including webinjection, key loggers and screen capture, among others.

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…