Dubai: ESET researchers warn of the underestimated threat of fake banking apps, a type of mobile banking malware that impersonates legitimate finance applications to steal credentials for, or money from, its victims’ bank accounts. While technically far from advanced, fake banking apps have strategic advantages that makes them comparably effective to much more sophisticated types of malware with the same goals.
The conclusion comes from ESET’s new research of the current Android banking malware landscape, documented in the white paper “Android banking malware: Sophisticated Trojans vs. Fake banking apps ”. The research identifies fake banking apps and sophisticated banking Trojans as the two most prevalent types of Android banking malware and provides insight into their go-to tricks and techniques.
“Our analysis of the two types of banking malware – both of which have previously been discovered in the official Google Play store – has shown that the simple operation of fake banking apps comes with certain advantages that the feared banking Trojans don’t have,” explains Lukáš Štefanko, ESET malware researcher.
The main strength of the fake apps according to Štefanko is their direct impersonation of legitimate banking applications. If users fall for the impersonation and install a fake banking app, there is a high chance they will treat the login screen displayed by the app as legitimate and submit their credentials. And, contrary to banking Trojans, there are no intrusive permission requests to raise the users’ suspicion after installation. Besides this, sophisticated banking Trojans are more prone to detection due to their advanced techniques acting as triggers for various security measures.
“While banking Trojans have long been regarded as a serious threat to Android users, fake banking apps have sometimes been overlooked due to their limited capabilities. Despite not being technically advanced, we believe fake banking apps might be just as effective at emptying bank accounts as banking Trojans,” comments Lukáš Štefanko.
To stay safe from banking malware, ESET experts recommend that users:
- Keep their Android device updated and use a reliable mobile security solution
- Stay away from unofficial app stores, if possible; always keep “installation of apps from unknown sources” disabled on their device
- Before installing an app from Google Play, always check its ratings, content of reviews, number of installs, and requested permissions; continue paying attention to the app’s behavior after it is installed
- Only ever download banking and other finance apps if they are linked on the official website of the bank or financial service
For a detailed overview of the two types of Android banking malware and ways of staying safe from them, please refer to the white paper at ESET’s blog, WeLiveSecurity.
The release of the white paper comes just ahead of Mobile World Congress in Barcelona where Lukáš Štefanko will present at ESET booth and will be available for interviews. ESET will be exploring Machine Learning/Artificial Intelligence, sharing new research and key findings in mobile security and showcase its security solutions at the global expo – taking place February 25 – 28, 2019 in Barcelona, exhibiting in Hall 7, stand 7H41.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.
Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.
The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.
To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.