As cash transactions become a thing of the past, an increasing number of people’s interactions with their bank or bank accounts happen through their smartphones. According to a 2020 Statista survey of five thousand odd households across 25 States in India, two-third respondents said they had a smartphone. Of these, half said they sent and received money digitally, and about 31% said they had a mobile app for banking. Nearly 14% said they used their mobile phones for banking-related purposes. This number further jumped as the COVID-19 pandemic made a lot more people switch to digital modes of payment instead of transacting with cash. Convenience and quickness in completing payments via mobile applications also played a key role in accelerating this trend. This acceleration brings along with it a vulnerability: an increased threat of cyberattacks on mobile devices.
Kaspersky’s view of the threat
Global cybersecurity firm Kaspersky warns of an increase in cyberattacks on Android and iOS devices in the Asia Pacific (APAC) as more people switch to mobile banking in the region. According to Kaspersky’s senior malware researcher Suguru Ishimaru, mobile banking Trojans are dangerous malware that can steal money from mobile users’ bank accounts by disguising the malicious application as a legitimate app to lure unsuspecting people into installing the malware. (A Trojan is a malicious code or software that looks legitimate but can take control of your device, including smartphones.)
At the APAC Cyber Security Weekend conference on Thursday, Mr. Ishimaru pointed out two prominent malware campaigns that operate in the region and target smartphone users in several countries.
Trojans let loose
One mobile banking trojan, called Anubis, has been targeting Android users since 2017, and its worldwide campaigns have hit users in Russia, Turkey, India, China, Colombia, France, Germany, the U.S., Denmark, and Vietnam. The malware has continued to be one of the most common mobile banking trojans with one in 10 unique Kaspersky users encountering a banking threat from the malware. The perpetrators infect the device through legitimate-looking and high-ranking malicious apps on Google Play, smishing (phishing messages sent through SMS), and BianLian malware, another mobile banking Trojan, Mr. Ishimaru noted.
Roaming Mantis is another prolific malware targeting mobile banking users. The group attacks Android devices and spreads the malicious code by hijacking domain name systems (DNS) through smishing exploits. Kaspersky’s research team has been tracking the malware since 2018; and between the start of 2021 to the first half of 2022 alone, they detected nearly half a million attacks in the APAC region.
Mr. Ishimaru said that while this threat group is known for targeting Android devices, their recent campaign has shown interest in iOS users. The group targets users by sending smishing texts with a short description and a URL landing page. If a user clicks on the link and opens the landing page, they are redirected to a phishing page. For iOS users, the landing page mimics Apple’s official website; while Android devices download another malware. And once the individual inputs their login credentials and proceed to the two-factor authentication, the attacker gets to know the user’s device and login details.
“There is a notion that iOS is a more secure operating system,” Mr. Ishimaru said. “However, we [users] must take two things into account — the increasing sophistication of mobile bankers’ social engineering techniques and malware arsenal and the possibility for human errors.”
Interoperability compounds problems
Mobile payment platforms like Google Pay, PaytM, PhonePe, Square, PayPal, and Alipay have benefited from the shift in consumers’ adoption of mobile banking.
As a result, they have also permanently changed the payments game to their advantage. But these platforms are operating in a closed-loop payment world where a Google Pay user can send money to another bank account via only the search giant’s payment platform. This is similar to how Visa and Mastercard operate as they let payment transactions happen only within their own networks, not between each other.
This business model could change “driven partly by regulators that prefer open, standardised platforms that lower barriers to entry,” according to an Accenture report on banking trends in 2022.
Some countries are already making payment platform providers change their business model. China, for instance, has ordered its internet companies to offer their rival firm’s link and payment services on their platforms. In India, a new law demands all licensed mobile payment platforms to be capable of providing interoperability between wallets. The push from regulators to make payment platforms interoperable comes at a time when the demand for technical experts is a serious concern in the banking industry.
The shortage of technology, engineering, data and security experts needed by banks to realise their digital aspirations tends to hide a much wider problem: banks’ appeal as first-choice employers of all kinds of talent has faded, Accenture’s report adds. The lack of adequate cybersecurity and the dearth of talent in banking could potentially lead to a further rise in cyberattacks on user devices. And until this mismatch is fixed, it helps to be careful and extremely cautious when using a mobile device to make payments. Apart from the usual digital hygiene practices like keeping the phone up-to-date and rebooting regularly, consumers can ensure they use their phones for banking only when the device is connected to a secure VPN. iOS 16 users can turn on the Lockdown Mode as it limits the device’s functionality and protects it from any potential malware.
