Fake Commbank Security App Uses SMS Authentication To Target Bank Accounts

Fake Commbank Security App Uses SMS Authentication To Target Bank Accounts

Developed to improve security for users doing their banking online, the SMS authentication process used by Commonwealth Bank (and many other Banking Institutions all over the world) is now being used by hackers as a gateway into many bank accounts.

The Malware

fake commbank appThe trojan dubbed “hardcore88” was discovered by Russian Cyber Security firm Group IB in a Russian underground Android forum where it was being sold.

The mobile banking trojan bypasses the SMS verification code security measure by posing as a security app from Commbank, and then proceeds to block calls from the victim’s bank and capture incoming SMS messages that would otherwise carry the one-time verification passcode required to complete an online transaction.

The trojan tricks users into installing the mobile malware on their PC by injecting a page into the victim’s browser when they log into their online account on the desktop. The page is disguised  to be from CommBank, but it is actually from the attacker, which asks the user to enter in their mobile phone number and install a mobile app it claims Commonwealth bank has recently introduced. Social engineering comes into play here, with potential victims told the bank has introduced new rules that require the customer to install a “special bank certificate”, which if they fail to install will lock them out of online banking.

A spokesperson from Commonwealth Bank said the bank actively monitors sites promoting malware for Android and other mobile devices, as well as banking sessions for the presence of these viruses:

“The Commonwealth Bank works with CERT Australia and other authorities to try and combat this. Our advice to customers is to always download any apps to their Android mobile devices from an authorised platform app store, such as the Google Play Store or Samsung Apps.”

Commonwealth bank is not the only bank to be targeted by this piece of malware, with customers from banks in other countries also subjected to these attacks. However, Commbank is the first Australian bank to be identified as a target.

The Problem With SMS Authentication

wordpress-sms-authenticateThis isn’t the first instance of the SMS authentication process being used as a conduit for malware. Earlier this year, Perkele for Android (uncovered by security blog Krebs On Security), an Android SMS malware package that targeted customers of Citibank, HSBC and ING in Australia as well as 66 other financial institutions all around the world, was being sold as licenses over the web.

The app works the same as hardcore88, by working in tandem with PC malware called “Web Injects” that can modify how bank websites are displayed in a user’s browser. The malware fires as soon as the victim goes to log into their bank account via their PC, with the ‘web inject’ informing the victim that to complete the mobile authentication component of the login process, they will need to install a special security certificate on their phone. Once the user enters in their mobile number, they are sent an SMS or HTTP link to download the malware on their phone. The user will then verify the app with a special supplied code, which prompts the app to send a SMS back to the license holder of the malware, ultimately bypassing the SMS authentication process.

As shown through the ability of hackers to bypass it, the SMS authentication method, while a great step by banks towards helping ensure the safety of their user’s personal data, has been shown by cyber security experts to fall short as a fool-proof security method.

Users Beware

If this isn’t enough to make you more cautious of what you install on your phone, according to Krebs on Security, the Perkele for Android malware is not a very complex piece of malware. In fact, the article mentions there are many more sophisticated pieces of malware out there, targeted particularly at the Android platform, which places a huge emphasis on being cautious about the pages and apps you use or visit and being aware of the risks.

While banks and dedicated mobile app stores such as the Google Play store and the App Store for iOS do actively take steps to identify and remove malware, users must be aware that they are not entirely bulletproof. The amount of Android malware has significantly increased, jumping 614% in a year, which means there’s a fair amount out there. However, simply because there is a large amount of malware for Android devices doesn’t mean you need to consider moving to another operating system to keep your personal data safe, statistics such as these should always be taken with a grain of salt, as the chance of becoming a victim of mobile malware is usually very slim.

Ultimately, despite all of the security measures implemented by banking institutions and dedicated app stores, it comes down to the discretion of the user. Now more than ever, users need to exercise caution with all web and app activity. By simply taking a moment to read and comprehend an app’s permissions before you install it, or research an app in regards to reviews and ratings, you stand a better chance of keeping malware off your smartphone and away from your personal details.

Source: The Age