Banks should look for new – secure – ways of exchanging information with their clients after the emergence of malicious software which allows criminals to steal passwords and text message security codes from people’s phones, security firm Group-IB warned.
More than 541,000 smartphones running on Android in Russia,
Europe and the US are already infected with malware which grants
the perpetrators full access to people’s mobile devices, a report
by the Moscow-based company said.
The hostile program is distributed through “massive spam on the
SMS-messages,” Nikita Kislitsin, head of botnet intelligence at
Group-IB,
told RT.
“People would receive different messages saying something
like: ‘Hey, this is my fresh set of photos. Please download it.’
And it turns out that just that it’s a piece of malware,” he
said.
“The criminals come up with new…social engineering techniques
to trick people… They try to imitate well-known companies; they
try to mimic to software updates to well-known software
applications or plugins.”
According to the tech specialist, the cyber thieves are looking
for people’s money as “It’s no secret that all the banks in
Russia – like 90 percent of them – they’re using SMS-messages to
deliver secret codes in order to confirm money payments.”
When the malware is installed, the criminals “get access to
pretty much everything you have on your phone” –
text-messages, calls, photos, contact list and so on, Kislitsin
said.
“They’ll look in your messages for SMS from your bank to find out
how rich you are. Mostly, you can find the information about your
balance on your banking account and based on this information
they can conclude how interesting you are,” he added.
The malware gives “the ability to send any arbitrary SMS from
your phone to any number in the world and perform phone calls
from your phone to any number in the world.”
Group-IB released a screenshot, showing a program, which the
criminals use to organize the information they steal.
A drop-down menu next to each of the victims’ phone numbers
provide full information on the device and gives such options
like “grab SMS, perform phone calls, steal contact list, get
images,” Kislitsin explained.
Another problem is that it’s almost impossible to track the rough
program when it’s already installed on the phone.
“Mostly, people notify that they’re hacked when they’re losing
money… General people wouldn’t notice this malware for years
because it doesn’t give a sign – any sign – that its’
installed,” he said.
Talking about protection from the possible attack, Kislitsin has
urged the smartphone users not to be “naïve.”
“In 95 percent of the cases, people do install malware by
themselves. It’s not a super Zero Day, which allows to execute
any arbitrary code without any sign. Next advice is to use
anti-viral software. But it’s not a guarantee at all,” he
said.
“You’re also 100 percent secure with your old phone [from five-10
years ago]” as the malware is too complicated for them, the
tech specialist added.
Kislitsin believes that to really solve the problems the banks
should completely rethink the way they exchange sensitive data
with their clients.
This branch of cybercriminal activity started around a decade ago
when the banks started using text messages as a secure way to
confirm payments, but now we need a news system, “something
better,” he said.