Page 13 - index
P. 13
discovered by Lookout the bad actors deployed the trojanized app on the official Google Play
app store since it has been removed.
Phishing attacks are also insidious because attackers not only could steal banking credentials
but also could be able to collect further information to reuse later in a spear phishing campaign.
The distribution of malicious apps via the official Google Play makes very effective and
dangerous the operations conducted by cyber criminals, exploitation of trusted channels
advantages large diffusion of mobile malware.
As explained, the financial institution are offering several serviced through mobile platforms, and
banking mobile apps are probably the instrument most diffused, but what is the level of security
they offer?
Earlier 2014, Ariel Sanchez, a researcher at security assessment company IOActive, published
an interesting report which analyzes the level of security implemented by mobile banking apps
for iOS devices.
The expert tested 40 different iOS banking apps used by 60 different banks used in about 20
different countries.
The key findings are disconcerting:
70% of the apps offered no support at all for two-factor authentication.
40% of the apps accepted any SSL certificate for secure HTTP traffic.
90% of the apps contained several non-SSL links throughout the application. This allows
an attacker to eavesdrop traffic and inject malicious code in an attempt to create a fake
login prompt or similar fraud.
Moreover, 20% of the apps sent activation codes for accounts though plaintext
communication (HTTP). Even if this functionality is limited to initial account setup, the
associated risk high.
I consider the second point alarming, it means that 40% of iOS banking apps is not able to
recognize fake certificates exposing the victim to the risk of MITM attacks.
Digital certificates are used to mutual authenticate mobile users and trusted banking website,
but the fact that mobile apps blindly accept any certificate implicates that an attackers could
deploy a bogus banking website that trick users into believe that the site is a legitimate one
because it is proposing a fake certificate recognized as valid by the mobile app.
14 Cyber Warnings E-Magazine – CTIA Special Edition, September 2014
Copyright © Cyber Defense Magazine, All rights reserved worldwide
