Recent research from IBM X-Force highlighted banking Trojan operators’ increasing interest in stealing cryptocurrency and analyzed a webinjection scheme the TrickBot Trojan used to deliver stolen coins to attackers’ wallets. This trend by no means skipped the mobile malware realm.

Mobile malware dedicated to stealing cryptocurrency usually leverages malicious miners that infect devices to collect coins through a mobile web browser or via nefarious apps. But if profitability is the main goal, mining on a mobile device may not be the most efficient method for attackers.

Mobile devices have limited processing power to lend to mining coins, which translates to low returns. In addition, these devices are not connected to a continuous source of electricity, meaning that users are likely to suspect an issue when a device slows down or overheats, potentially resulting in permanent physical damage.

Crooks operating mobile banking Trojans don’t install miners on the device. Rather, they typically steal existing coins from unsuspecting owners using mobile malware that creates the same effect as webinjections: Cybercriminals trick users with fake on-screen information, steal their access credentials and take over accounts to empty coins into their own wallets.

Watch the on-demand webinar: The Evolution of TrickBot Into the Next Global Banking Threat

Mobile Banking Trojans Rely on Existing Tactics

Much like the case of the TrickBot Trojan, which relies on its existing capabilities to use serverside webinjections in attacks against cryptocurrency holders, mobile malware leverages the overlay screen to do the same.

Cybercriminals operating mobile malware such as ExoBot, BankBot, Marcher and Mazar rely on the malware’s ability to determine which application was opened or is frontmost on the user’s device. They match it with a list of the apps that interest them, and then launch a hardcoded or dynamically fetched overlay to hide the original app screen behind a fake one.

By hiding the true app, the user can be lured into tapping his or her access credentials into the fake screen, unknowingly sending them to a remote attacker. The attacker can then attempt to access the victim’s account from another device. When prompted for a second-factor authorization, such as a code sent via SMS, the malware can hijack it directly from the compromised device without the victim ever seeing the message come in. In some cases, the malware operator can even take over the device and remotely control it.

This method applies to bank accounts, but malware operators have adapted it to steal cryptocoins. Malware such as BankBot and Marcher incorporates exchange platform Android application package (APK) names designed to trigger an overlay screen as soon as an infected user opens a relevant wallet app.

Targeted Cryptocurrency Platforms

According to X-Force research, attackers target applications that facilitate coin exchanges, including applications for bitcoin, Bitcoin Cash, Ethereum, Litecoin, Monero and other digital assets. The malware’s overlay screens look basic yet convincing, and can lead users to unknowingly send their access credentials to an attacker.

Figure 1: Screenshot of an overlay screen attempting to mimic a popular coin exchange app

Cybercrime’s Cryptocurrency Gold Rush

The cryptocurrency gold rush is going strong around the world, with new coins emerging and values rising. The common denominator is the measure of anonymity these digital currencies lend to transactions, their unrestricted access from anywhere on the globe and the fact that they can be exchanged for money without being otherwise regulated by any central entity. These features attract legitimate users, but they have been particularly valuable to cybercriminals.

Although attacks against cryptocurrency holders and exchange platforms have been on the rise since 2017, X-Force expects to see an escalation in attack diversity and scale in 2018, especially when it comes to malware being used to infect users with miners and stealers designed to target cryptocoins.

The mobile malware arena already strives to emulate the success of PC banking Trojans and facilitate cross-channel fraud and identity theft. Cryptocurrency is just another target for malware operators looking to get in on the action. Given the rapid evolution of this threat, organizations should invest in mobile threat protection tools to minimize the risk posed by mobile banking Trojans.

Interested in emerging security threats? Read the latest IBM X-Force Research

More from Banking & Finance

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.…

SEC Proposes New Cybersecurity Rules for Financial Services

Proposed new policies from the Securities and Exchange Commission (SEC) could spell changes for how financial services firms handle cybersecurity. On Feb. 9, the SEC voted to propose cybersecurity risk management policies for registered investment advisers, registered investment companies and business development companies (funds). Next, the proposal will go through a public comment period until May 9.  The Importance of Cybersecurity in Finance The 2021 X-Force Threat Index found that financial services were the most targeted industry. Manufacturing beat out…

Top Security Concerns When Accepting Crypto Payment

From Microsoft to AT&T to Home Depot, more companies are accepting cryptocurrency as a way to pay for products and services. This makes perfect sense as crypto coins are a viable revenue source. Perhaps the time is ripe for businesses to learn how to receive, process and convert crypto payments into fiat currency. Still, many questions remain. How can you safely enable customers to pay with Bitcoin or other digital currency? What are the security risks that come with cryptocurrency? Let’s…