Mobile banking malware surges in 2019

Mobile banking malware surged in the first half of the year, email scams geared up and attacks on cloud increased, while illicit cryptocurrency miners declined, report reveals

Banking malware has evolved to become a very common mobile threat, with a 50% increase in attacks this year compared with the first half of 2018, according to the latest cyber attack trends report by Check Point.

The report is based on data from Check Point’s ThreatCloud intelligence between January and June 2019, highlighting the key tactics cyber criminals are using to attack businesses.

“Today, banking malware is capable of stealing payment data, credentials and funds from victims’ bank accounts, and new versions of these malware are ready for massive distribution,” the report said.

The surge in mobile baking malware is attributed, in part, to the availability of malware-building kits for sale in underground forums.

“In this way, the builders of mobile bankers, such as Asacub and Anubis, can allow the creation of new versions of these malware, ready for massive distribution,” the report said.

The most popular banking malware in the first half of the year included the banking trojan Ramnit (28%), Dyre variant Trickbot (21%) and trojan Ursnif (10%).

Banking malware is part of a wider trend demonstrated in the first half of the year in which attackers launched a wide range of attacks to capitalise on the move to mobile devices and apps, including credential theft through fake apps and surveillance operations.

“So far this year, we have seen more and more malicious actors adapting techniques and methods from the general threat landscape to the mobile world,” the report said. This includes the use of evasion techniques such as delayed execution to avoid sandboxes, using transparent icons with empty application labels, encrypting the malicious payload, and turning off anti-malware protections.

“It is quite evident that cyber criminals have boosted their skillsets and creativity for mobile attacks, determined to evade detection while keeping their malware persistent and effective,” the report said, adding that threat actors are stepping up their efforts and, as a result, mobile attacks are likely to increase in future.

Top mobile malware detected so far this year includes Android backdoor Triada (30%), Android hacking tool Lotoor (11%), and Android repackaging tool Hidad (7%).

The report noted that the past six months have shown that no environment is immune to cyber attacks, with threat actors developing new tool sets and techniques, targeting corporate assets stored on cloud infrastructure, individuals’ mobile devices, trusted third-party suppliers’ applications and mail platforms.

Read more about mobile malware

According to the report, threat actors are extending their attack methods to focus on the supply chain, often installing malicious code into legitimate software.

Email scammers have also started to employ various evasion techniques designed to bypass security solutions and spam filters such as encoded emails, images of the message embedded in the email body, as well as complex underlying code that mixes plain text letters with HTML characters, the report said.

Other methods allowing scammers to remain under the radar of spam filters and reaching targets’ inboxes include social engineering techniques and personalising email content.

The growing popularity of public cloud environments has led to an increase in cyber attacks targeting enormous resources and sensitive data residing within these platforms, said the report. According to researchers, the lack of security practices, misconfiguration and poor management of cloud resources remain the most prominent threats, exposing cloud assets to an array of attacks.

“Be it cloud, mobile or email, no environment is immune to cyber attacks,” said Maya Horowitz, threat intelligence group manager at Check Point.

“In addition, threats such as targeted ransomware attacks, DNS [domain name system] attacks and cryptominers continue to be relevant in 2019, and security experts need to stay attuned to the latest threats and attack methods to provide their organisations with the best level of protection.”

The number of organisations impacted globally by illicit cryptominers declined to 26% from 42% in the same period a year ago as a result of the Coinhive drive-by mining service shutting down.

However, the report said Coinhive was still the most common malware seen the first half of the year, impacting 7.2% of organisations globally, tying with Cryptoloot and followed by XMRig (6.3%).

Coinhive accounted for 23% of cryptominers detected in the first half of the year, followed by Cryptoloot (22%) and XMRig (20%).

In Europe, the Middle East and Africa, however, the most prevalent malware was Cryptoloot (6.3%), followed by Coinhive (6%), Jsecoin (5.3%) and XMrig (4.9%).

Read more on Hackers and cybercrime prevention