Recent research from IBM X-Force highlighted banking Trojan operators’ increasing interest in stealing cryptocurrency and analyzed a webinjection scheme the TrickBot Trojan used to deliver stolen coins to attackers’ wallets. This trend by no means skipped the mobile malware realm.

Mobile malware dedicated to stealing cryptocurrency usually leverages malicious miners that infect devices to collect coins through a mobile web browser or via nefarious apps. But if profitability is the main goal, mining on a mobile device may not be the most efficient method for attackers.

Mobile devices have limited processing power to lend to mining coins, which translates to low returns. In addition, these devices are not connected to a continuous source of electricity, meaning that users are likely to suspect an issue when a device slows down or overheats, potentially resulting in permanent physical damage.

Crooks operating mobile banking Trojans don’t install miners on the device. Rather, they typically steal existing coins from unsuspecting owners using mobile malware that creates the same effect as webinjections: Cybercriminals trick users with fake on-screen information, steal their access credentials and take over accounts to empty coins into their own wallets.

Watch the on-demand webinar: The Evolution of TrickBot Into the Next Global Banking Threat

Mobile Banking Trojans Rely on Existing Tactics

Much like the case of the TrickBot Trojan, which relies on its existing capabilities to use serverside webinjections in attacks against cryptocurrency holders, mobile malware leverages the overlay screen to do the same.

Cybercriminals operating mobile malware such as ExoBot, BankBot, Marcher and Mazar rely on the malware’s ability to determine which application was opened or is frontmost on the user’s device. They match it with a list of the apps that interest them, and then launch a hardcoded or dynamically fetched overlay to hide the original app screen behind a fake one.

By hiding the true app, the user can be lured into tapping his or her access credentials into the fake screen, unknowingly sending them to a remote attacker. The attacker can then attempt to access the victim’s account from another device. When prompted for a second-factor authorization, such as a code sent via SMS, the malware can hijack it directly from the compromised device without the victim ever seeing the message come in. In some cases, the malware operator can even take over the device and remotely control it.

This method applies to bank accounts, but malware operators have adapted it to steal cryptocoins. Malware such as BankBot and Marcher incorporates exchange platform Android application package (APK) names designed to trigger an overlay screen as soon as an infected user opens a relevant wallet app.

Targeted Cryptocurrency Platforms

According to X-Force research, attackers target applications that facilitate coin exchanges, including applications for bitcoin, Bitcoin Cash, Ethereum, Litecoin, Monero and other digital assets. The malware’s overlay screens look basic yet convincing, and can lead users to unknowingly send their access credentials to an attacker.

Figure 1: Screenshot of an overlay screen attempting to mimic a popular coin exchange app

Cybercrime’s Cryptocurrency Gold Rush

The cryptocurrency gold rush is going strong around the world, with new coins emerging and values rising. The common denominator is the measure of anonymity these digital currencies lend to transactions, their unrestricted access from anywhere on the globe and the fact that they can be exchanged for money without being otherwise regulated by any central entity. These features attract legitimate users, but they have been particularly valuable to cybercriminals.

Although attacks against cryptocurrency holders and exchange platforms have been on the rise since 2017, X-Force expects to see an escalation in attack diversity and scale in 2018, especially when it comes to malware being used to infect users with miners and stealers designed to target cryptocoins.

The mobile malware arena already strives to emulate the success of PC banking Trojans and facilitate cross-channel fraud and identity theft. Cryptocurrency is just another target for malware operators looking to get in on the action. Given the rapid evolution of this threat, organizations should invest in mobile threat protection tools to minimize the risk posed by mobile banking Trojans.

Interested in emerging security threats? Read the latest IBM X-Force Research

More from Banking & Finance

How to Spot a Nefarious Cryptocurrency Platform

Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…