An update on mobile cybersecurity threats for the summer of 2023

If you only look at the number of attackers this is by far the most numerous. Here you find individuals scanning networks and websites for potential vulnerabilities or using social engineering to trick victims into approving fraudulent payments, suppliers of fake webshops that never ship the goods, and people buying malware from shady “Dark Web” sites. Shared by the attackers in this category is that they’re usually amateurs, and typically just looking to make a quick buck in an as easy as possible way. 

On the threat side, there is one particular new threat vector that is interesting: With the rise in AI and large language models, there have been people offering trained AI chatbots, which are specially trained in social engineering. An example of this is WormGPT, but even ChatGPT can be used for social engineering with the right prompts. Using a GPT-like system to do social engineering allows criminals to automate believable social engineering to a much higher degree than before. In addition, modern AI tools have also made voice-changing and even real-time image-changing more readily available than before. An example here is a variant of a social engineering attack where an attacker first steals access to someone’s Whatsapp, then uses a voice changer to sound like a targeted victim asking all their friends for some quick cash for an emergency. In the future, I’m sure we’ll see this type of attack completely automated. 

Seen from the perspective of a bank or fintech this group is not a major threat, as you should already do Strong Customer Authentication to make sure that the payer is aware of who the payee is. But, your customers will still be victims of social engineering in the future, and given the stricter rules for payment security coming with PSD3, it is more important than ever that you ensure that all the transactions have been properly authenticated.  It might even be an idea to ask an additional “This looks like fraud. Are you really sure about this transaction?”. This doesn’t cost you anything, but it might directly help your customer to avoid fraud, and indirectly yourself by avoiding having to handle an additional fraud case. A good source of practical information on the types of attacks you see on this level is the Scams subreddit.

This is where you find the more formalized groups. Some of these might even have hundreds of employees, as is the case with the sources of the call-center-based scams. With more employees and more resources, it becomes possible to fund “new innovative types of attacks”, such as creating new malware and trying to infiltrate company infrastructure. An example here is ransomware attacks, but there are also groups making specialized malware targeting the apps of banks and payment service providers. An example of an attack targeting payment service providers are apps that masquerade as payment apps, tricking the user into entering their banking details and password, and stealing OTPs, particularly those sent through SMS. A recent report on one such mobile malware from this summer is SpinOk, which reportedly infected apps downloaded by around 30 million users.

This category of attackers should be the primary source of worry for banks and fintechs, as they can finance the development of new malware, run major social engineering campaigns and launder any funds stolen. A question you should ask yourself is: “If you’re the source of the SpinOk attack referenced above, and you have access to 30 million phones, how many of those phones will run a potential victim's payment app?” 

One point that is important to be aware of is that there is a lot of overlap between opportunistic threat agents and organized crime. If an attack stops being profitable for a large group it can still be sold to amateurs. Many of the malware packages sold on the Dark Web are of this type - old attacks such as Zeus which are repackaged and sold relatively cheaply.

This is the level where the attacks are performed by various government “three-letter agencies”, or by smaller governments paying commercial companies focused on producing malware and spyware. The most illustrative example of what government agencies can do was leaked back in 2013 when Der Spiegel published NSA’s “ANT catalog” for 2008-2009. It is quite stunning what you could do even 15 years ago with a nearly unlimited research budget, and not that many legal guidelines that you have to follow. 

It is hard to speculate what type of attacks they would be capable of today, but a recent example of an attack mitigation from Google might give some hints: Just a few days ago Google went semi-public with the news that Google Pixel devices used to be vulnerable to attacks in the baseband software running the modem stack which made it possible to remotely execute code on the device from up to 3 miles away using a cheap software-defined radio. This type of attack is basically impossible to protect against, even if you’re a mobile phone producer, as the baseband software is typically bought as a “black box” by everyone except the very largest companies. In related news, Google recently announced that they would allow organizations to disable mobile protocols for organisations so that they can disable 2G or even 3G for their users. Luckily, developing this kind of attack is typically extremely costly, or even requires that you have people working from inside the producers of the baseband software.

An example of a commercial vendor is NSO group, which has become well known for its Pegasus spyware. This type of spyware is basically a RAT (remote access trojan), which can be spread through unpatched security vulnerabilities in mobile operating systems, common messaging apps, or even by vulnerabilities in underlying protocols. 

Seen from an application provider perspective there is not much you can do to protect yourself from attacks on this level, but on the other hand, it is unlikely that your company is a potential target. What is scarier is that the types of vulnerabilities exploited today likely will become both cheap and easy for criminal gangs to exploit in the future.

If you’re responsible for security for a bank or another type of payment service provider dealing with the large number of potential threats, attacks and attack surfaces might seem overwhelming. A good way to start thinking about this is to consider the following questions:

1. Identify Attackers: Determine the type of attackers interested in your business functions.
2. Identify Targets: Identify tempting targets within your operations, such as your app, customer onboarding, or customer service.
3. Assess Current Protections: Evaluate your existing security measures.

If you're interested in further discussions on this topic, our newly established professional services offering can help explore your options. Stay vigilant, stay informed, and adapt to the evolving threat landscape to safeguard your organization and customers.