In 2019 there was a surge of malware, particularly in the mobile banking sector. According to the latest report from Checkpoint, the growth in banking-malware has been over 50% compared to that of 2018. As an example, Kaspersky reported that 438,709 of their mobile users encountered 3,730,378 financial attacks, and this does not include other types of mobile malware. So for this post, we’ll look at what malware is, why it works, and what it does once installed.
While there might be several reasons for malware to target end-users, the most common reason is financial gain. What we often see looks something like:
Two of the more common mobile malware suites in 2019 are Triada and Triout. Triada has even been found being preinstalled on cheap mobile phones from the far-East.
Both Triout and Triada are modular collections of different software packages. They can be used as remote-controls for devices (a “RAT”), for communicating with other devices, and for gaining elevated access rights. Common to both Triada and Triout is that they have a laundry list of exploits that can be used to gain root-rights on Android - rights far beyond what is possible with normal Android permissions.
Root-access makes it possible for the malware to:
Root-access makes it very hard to discover that the device has been infected, as the malware has essentially the same access to the system as the software provided by the phone manufacturer.
Still, even without root-access rights, malware might be able to:
The most efficient kind of malware is the kind that end-users aren’t aware of. Of course, it is also the kind that is only triggered once (when it is most profitable for the malware creators).
An example of this would be when an attacker has figured out how to exploit a common banking app, and has created a module that transfers money from any available account. Yet a malware infection is not stand-alone: it depends on a command-and-control server, which receives information and sends commands and updates.
Unlock updates, insights, and exclusive content delivered to you.
In the background, there is an entire ecosystem of malware authors and criminal gangs communicating through underground forums. Accessing these kinds of forums can be surprisingly easy, and it does not take much effort to find cheap prepackaged malware suites that can be used to remote-control infected phones, or software that can run on command-and-control servers. While we never advise to trust services or devices bought off the dark-web, it can still be quite educational to see what is available out there.
In our next post, we’ll look at how malware spreads and what you can do to avoid being infected.