Recent research from IBM X-Force highlighted banking Trojan operators’ increasing interest in stealing cryptocurrency and analyzed a webinjection scheme the TrickBot Trojan used to deliver stolen coins to attackers’ wallets. This trend by no means skipped the mobile malware realm.

Mobile malware dedicated to stealing cryptocurrency usually leverages malicious miners that infect devices to collect coins through a mobile web browser or via nefarious apps. But if profitability is the main goal, mining on a mobile device may not be the most efficient method for attackers.

Mobile devices have limited processing power to lend to mining coins, which translates to low returns. In addition, these devices are not connected to a continuous source of electricity, meaning that users are likely to suspect an issue when a device slows down or overheats, potentially resulting in permanent physical damage.

Crooks operating mobile banking Trojans don’t install miners on the device. Rather, they typically steal existing coins from unsuspecting owners using mobile malware that creates the same effect as webinjections: Cybercriminals trick users with fake on-screen information, steal their access credentials and take over accounts to empty coins into their own wallets.

Watch the on-demand webinar: The Evolution of TrickBot Into the Next Global Banking Threat

Mobile Banking Trojans Rely on Existing Tactics

Much like the case of the TrickBot Trojan, which relies on its existing capabilities to use serverside webinjections in attacks against cryptocurrency holders, mobile malware leverages the overlay screen to do the same.

Cybercriminals operating mobile malware such as ExoBot, BankBot, Marcher and Mazar rely on the malware’s ability to determine which application was opened or is frontmost on the user’s device. They match it with a list of the apps that interest them, and then launch a hardcoded or dynamically fetched overlay to hide the original app screen behind a fake one.

By hiding the true app, the user can be lured into tapping his or her access credentials into the fake screen, unknowingly sending them to a remote attacker. The attacker can then attempt to access the victim’s account from another device. When prompted for a second-factor authorization, such as a code sent via SMS, the malware can hijack it directly from the compromised device without the victim ever seeing the message come in. In some cases, the malware operator can even take over the device and remotely control it.

This method applies to bank accounts, but malware operators have adapted it to steal cryptocoins. Malware such as BankBot and Marcher incorporates exchange platform Android application package (APK) names designed to trigger an overlay screen as soon as an infected user opens a relevant wallet app.

Targeted Cryptocurrency Platforms

According to X-Force research, attackers target applications that facilitate coin exchanges, including applications for bitcoin, Bitcoin Cash, Ethereum, Litecoin, Monero and other digital assets. The malware’s overlay screens look basic yet convincing, and can lead users to unknowingly send their access credentials to an attacker.

Figure 1: Screenshot of an overlay screen attempting to mimic a popular coin exchange app

Cybercrime’s Cryptocurrency Gold Rush

The cryptocurrency gold rush is going strong around the world, with new coins emerging and values rising. The common denominator is the measure of anonymity these digital currencies lend to transactions, their unrestricted access from anywhere on the globe and the fact that they can be exchanged for money without being otherwise regulated by any central entity. These features attract legitimate users, but they have been particularly valuable to cybercriminals.

Although attacks against cryptocurrency holders and exchange platforms have been on the rise since 2017, X-Force expects to see an escalation in attack diversity and scale in 2018, especially when it comes to malware being used to infect users with miners and stealers designed to target cryptocoins.

The mobile malware arena already strives to emulate the success of PC banking Trojans and facilitate cross-channel fraud and identity theft. Cryptocurrency is just another target for malware operators looking to get in on the action. Given the rapid evolution of this threat, organizations should invest in mobile threat protection tools to minimize the risk posed by mobile banking Trojans.

Interested in emerging security threats? Read the latest IBM X-Force Research

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today