If you bank by phone, you better be careful. Malicious mobile-banking software aimed at taking over consumer bank accounts has threatened up to 10 percent of consumer cell phones, security experts warn. Worse, the software is so sophisticated that it can easily trick even savvy consumers into divulging their banking credentials to the crooks.
"When it is installed on a device, it will display overlays that are legitimate-looking screens that prompt you to log into your bank account," said Michael Flossman, head of threat intelligence at Lookout, a mobile security service. "And the software knows to wait to serve that screen until you are trying to legitimately contact your bank."
Lookout analyzed 30,000 mobile devices with one or more major banking apps installed. The mobile threat histories of these devices during the one-year study period showed that 10 percent of mobile banking customers encountered a threat or risk, Flossman said.
Avast, another mobile security firm, said about 6 percent of the Android phones it protects have been threatened by malware. Only 2.6 percent of that total was bots that aim to steal customer bank accounts. However, this type of malware is growing rapidly, with 50 percent more threats detected in 2017 than in the previous year.
Avast said its own research confirms just how realistic the bogus bank log-in screens appear. Some 36 percent of respondents worldwide were fooled, mistaking the fake interface for their own bank's real one, according to an Avast survey released on Tuesday.
"The findings highlight the level of sophistication and accuracy applied by cybercriminals to create trusted copies designed to spy on users, collect their bank login details and steal their money," Avast said in a press release.
Malware aimed at account takeover of consumer bank accounts isn't new. The Financial Services Information Sharing and Analysis Center started detecting this type of targeted malware nearly 10 years ago. Banks have since instituted a variety of security protocols that require multiple types of identity verification before a remote user would be able to gain access to money in consumer accounts.
"It is possible that this malware could trick a customer into providing their login information," said Gregg Temm, chief information risk officer at the FSISAC. "But banks are using multifactor identification.They're looking at the IP location, the time of day, the number of times that user typically logs in and a variety of other factors."
These precautions may not be foolproof, but they deter the vast majority of thieves from breaching bank firewalls, he said.
However, the security attacks persist and are gaining sophistication.
Indeed, in addition to making bank logon screens that appear legitimate, the way these viruses spread is usually through phishing emails, which are also increasingly believable, said Flossman. For instance, a consumer might get a text message, ostensibly sent by a delivery service, saying only: "Your package has been delivered. Click here for more information." If you do, your phone's operating system is opened up to the crook's malware.
"Once the software compromises one device, it will send a message from that device to all of your contacts saying that they need to install this application," said Flossman. "You may know not to click on a link from an unknown sender, but you might not be as careful when the text is coming from someone you know."
Moreover, some of these bank bots have been hidden in seemingly innocuous programs sold in legitimate app stores.
One variant of the BankBot Trojan, for instance, was concealed in supposedly trustworthy flashlight and Solitaire apps sold on Google Play as recently as November, according to Avast.
"We are seeing a steady increase in the number of malicious applications for Android devices that are able to bypass security checks on popular app stores and make their way onto consumers' phones," said Gagan Singh, senior vice president and general manager of mobile at Avast. "Often, they pose as gaming and lifestyle apps and use social engineering tactics to trick users into downloading them."
Good "cyber hygiene" is necessary to protect anyone who banks online, said FSISAC's Temm. Specifically:
Download free antivirus software for your phone, which should block most malicious programs.
Make sure to keep your operating system updated. When vulnerabilities to an operating system are found, the software company will send through a patch to update it. Missing one or more of those patches can leave your phone vulnerable.
Be cautious about downloading new apps. Don't ever download from an unofficial site, and be sure to use caution even with the major app stores, checking consumer reviews and using good common sense. If, for instance, you bank with Wells Fargo and see that only five consumers have rated its banking app, you should be suspicious. The real Wells Fargo mobile app has more than 200,000 ratings on Google Play.
Also make sure that you log out completely when you finish a mobile banking session, that you password protect your phone and that you notify your bank if you lose your phone or detect any suspicious activity in your account, banking experts add. And of course, never log into your bank account from a public Wi-Fi network.