Mobile Banking Trojans as Keen on Cryptocurrency as PC Malware

Recent research from IBM X-Force highlighted banking Trojan operators’ increasing interest in stealing cryptocurrency and analyzed a webinjection scheme the TrickBot Trojan used to deliver stolen coins to attackers’ wallets. This trend by no means skipped the mobile malware realm.

Mobile malware dedicated to stealing cryptocurrency usually leverages malicious miners that infect devices to collect coins through a mobile web browser or via nefarious apps. But if profitability is the main goal, mining on a mobile device may not be the most efficient method for attackers.

Mobile devices have limited processing power to lend to mining coins, which translates to low returns. In addition, these devices are not connected to a continuous source of electricity, meaning that users are likely to suspect an issue when a device slows down or overheats, potentially resulting in permanent physical damage.

Crooks operating mobile banking Trojans don’t install miners on the device. Rather, they typically steal existing coins from unsuspecting owners using mobile malware that creates the same effect as webinjections: Cybercriminals trick users with fake on-screen information, steal their access credentials and take over accounts to empty coins into their own wallets.

Watch the on-demand webinar: The Evolution of TrickBot Into the Next Global Banking Threat

Mobile Banking Trojans Rely on Existing Tactics

Much like the case of the TrickBot Trojan, which relies on its existing capabilities to use serverside webinjections in attacks against cryptocurrency holders, mobile malware leverages the overlay screen to do the same.

Cybercriminals operating mobile malware such as ExoBot, BankBot, Marcher and Mazar rely on the malware’s ability to determine which application was opened or is frontmost on the user’s device. They match it with a list of the apps that interest them, and then launch a hardcoded or dynamically fetched overlay to hide the original app screen behind a fake one.

By hiding the true app, the user can be lured into tapping his or her access credentials into the fake screen, unknowingly sending them to a remote attacker. The attacker can then attempt to access the victim’s account from another device. When prompted for a second-factor authorization, such as a code sent via SMS, the malware can hijack it directly from the compromised device without the victim ever seeing the message come in. In some cases, the malware operator can even take over the device and remotely control it.

This method applies to bank accounts, but malware operators have adapted it to steal cryptocoins. Malware such as BankBot and Marcher incorporates exchange platform Android application package (APK) names designed to trigger an overlay screen as soon as an infected user opens a relevant wallet app.

Targeted Cryptocurrency Platforms

According to X-Force research, attackers target applications that facilitate coin exchanges, including applications for bitcoin, Bitcoin Cash, Ethereum, Litecoin, Monero and other digital assets. The malware’s overlay screens look basic yet convincing, and can lead users to unknowingly send their access credentials to an attacker.

Screenshot of an overlay screen attempting to mimic a popular coin exchange app.

Figure 1: Screenshot of an overlay screen attempting to mimic a popular coin exchange app

Cybercrime’s Cryptocurrency Gold Rush

The cryptocurrency gold rush is going strong around the world, with new coins emerging and values rising. The common denominator is the measure of anonymity these digital currencies lend to transactions, their unrestricted access from anywhere on the globe and the fact that they can be exchanged for money without being otherwise regulated by any central entity. These features attract legitimate users, but they have been particularly valuable to cybercriminals.

Although attacks against cryptocurrency holders and exchange platforms have been on the rise since 2017, X-Force expects to see an escalation in attack diversity and scale in 2018, especially when it comes to malware being used to infect users with miners and stealers designed to target cryptocoins.

The mobile malware arena already strives to emulate the success of PC banking Trojans and facilitate cross-channel fraud and identity theft. Cryptocurrency is just another target for malware operators looking to get in on the action. Given the rapid evolution of this threat, organizations should invest in mobile threat protection tools to minimize the risk posed by mobile banking Trojans.

Interested in emerging security threats? Read the latest IBM X-Force Research

Share this Article:
Limor Kessem

Executive Security Advisor, IBM

Limor Kessem is one of the top cyber intelligence experts at IBM Security. She is a seasoned security advocate, public speaker, and a regular blogger on the cutting-edge IBM Security Intelligence blog. Limor comes to IBM from organizations like RSA Security, where she spent 5 years as part of the RSA research labs and drove the FraudAction blog on RSA's Speaking of Security. She also served as the Marketing Director of Big Data analytics startup ThetaRay, where she created the company's cybersecurity thought leadership. Limor is considered an authority on emerging cybercrime threats. She participated as a highly appreciated speaker on live InfraGard New York webcasts (an FBI collaboration), spoke in RSA events worldwide, conducts live webinars on all things fraud and cybercrime, and writes a large variety of threat intelligence  publications. With her unique position at the intersection of multiple research teams at IBM, and her fingers on the pulse of current day threats, Limor covers the full spectrum of trends affecting consumers, corporations, and the industry as a whole. On the social side, Limor tweets security items as @iCyberFighter and is an avid Brazilian Jiu Jitsu fighter.