The Internet Crime Complaint Center (IC3) and Federal Bureau of Investigation (FBI) issued a new warning that cyber actors are using banking trojans and fake mobile banking apps to steal your banking information.
In the new public service announcement (PSA), the FBI highlights the rapid increase (50%) in mobile banking usage since the beginning of 2020. Furthermore, studies indicate 36 percent of Americans plan to use mobile apps to conduct their banking activities.
As a result, bad actors are increasing their targets on mobile users and this threat will likely only increase in the future.
The FBI cautions users when downloading mobile apps since some of these apps could be malicious software, such as banking trojans, disguised as legitimate banking apps.
“When the user launches a legitimate banking app, it triggers the previously downloaded trojan that has been lying dormant on their device. The trojan creates a false version of the bank’s login page and overlays it on top of the legitimate app. Once the user enters their credentials into the false login page, the trojan passes the user to the real banking app login page so they do not realize they have been compromised,” FBI warned in the public announcement.
A few notable banking trojans that have evolved include TrickBot, Emotet, Panda and Dridex, just to name a few.
Fake mobile banking apps
Similar to the trojan threat, bad actors design fake mobile banking apps with the objective of tricking users into entering their login credentials. The attacker can then use those credentials to steal the victim’s personal data and money.
Often times, users will receive error messages after the login fails. Next, the fake app “will use smartphone permission requests to obtain and bypass security codes texted to users.”
In addition, US security research firms said nearly 65,000 fake apps were discovered back in 2018 on major app stores. As a consequence, this threat poses one of the fastest growing areas of mobile-based fraud.
The IC3 and FBI provide multiple good safeguards to protect against these mobile threats.
For example, users should turn on two-factor or multi-factor authentication (MFA) on their mobile banking apps. Using MFA protections (such as biometrics, tokens or autentication apps) is one of the strongest safeguards to protect users against an account compromise.
In addition, users should employ strong passwords and not reuse passwords across multiple sites. Users should also remember to never click on banking-related links sent in emails.
Finally, the FBI recommends users only download smartphone apps from “trusted sources,” such as official apps stores or directly from your bank’s website.
- TrickBot trojan updates propagation module with nworm to evade detection
- Emotet malware active threat drops IcedID Trojan
- CISA warns of increased Emotet malware attacks
- StrandHogg Android vulnerability under active attack by dozens of malicious apps
- Trickbot and Shellbot malware threats
- Emotet malware threat re-emerges with new features