Man-in-the-Browser Steals Your Bank Account

I personally don’t use any smartphone banking apps. I guess I just know too much about how easily they can be hacked. Sure, maybe your bank will compensate you for any lost funds, but that isn’t guaranteed. A lot depends on how quickly you report the loss. They may even decide that your behavior was, for some reason, irresponsible. Think of it this way. They can’t make it easy for you to scam the bank by working with a hacker to make money. In any event, you’ll still have to go through the trouble of getting new credit cards.

So, the banks can’t rely only on the good behavior of its clients. That’s why they use various forms of two-factor authentication (2FA). Sometimes they’ll send you a password by text/SMS. Some may use a phone call. Others have Transactional Authentication Numbers (TAN) on special card grids that must be scratched off when directed.

Although 2FA goes a long way towards preventing accounts from being hacked, it is not foolproof. Hackers have found a number of ways to compromise 2FA security. Probably the most common way is via a phishing attack. Appearing to be a legitimate communication from their bank, the email tells the victim that, for one reason or another, they must log into their account. A link is usually supplied in the body of the email. The victim, thinking the communication is legitimate, clicks on the link and goes to a page that looks exactly like the bank login site. It’s possible that the URL is also made to emulate the banking site. Thus, once the victim enters their login credentials, the attacker gets them. The victim, after logging in on the fake site, is then sent to another spoofed page which tells them they will need to enter the one-time password (OTP) that will be sent to their phone. The spoofed site will not send them the password because they don’t know their phone number.

However, while this is all going on, the attacker will use the newly acquired login data to login to the actual bank site. To the metrics on the site, this simply appears as if the victim is logging in for the first time. The bank will then give the attacker the information that they will need the OTP that will be sent to them. Of course, it will not be sent to them. It will be sent to the victim.

Now, the victim really does get the OTP but enters that into the spoofed site. The attackers take this OTP and use it to get into the victim’s bank account. When the victim submits their password on the spoofed site, they can be redirected anywhere. Often, it is the home page for the bank, but it could they could be directed to any site which will delay their next attempt to login to their account. This simply makes them think they did something wrong. Usually they will try to login to their account again but, by then, their account has been compromised. They may be blocked from signing in or they will see that money has been sent to an account that they know nothing about. Sending money to an unknown account can be blocked by the bank by requiring an additional password for such transactions. However, the victim may be confused by getting a second password and, thinking they did something wrong, may simply put this information into the spoofed site after which the attacker could take it to finish the money transfer. That said, requiring a password for every transaction makes a hacker’s life far more difficult.

But hackers aren’t easily dissuaded from making easy money. They have learned a new technique which manipulates Android architecture to harvest banking information. As it now stands, Android architecture has built-in sandbox protection which prevents one app from accessing the data of another app. This protection can be bypassed by rooting the device, but rooting is difficult for most malware. However, as was recently seen in Monitor Minor stalkerware, there is a way to get around this problem by using Accessibility Services. Accessibility Services were developed to help people with disabilities use a smartphone, usually, through using voice recognition technology. The key point here is that most apps allow Accessibility Services to be used with them. Once the victim is fooled through a phishing email or other means to download and open an app that hides the TrickBot Trojan, they are in a position to be manipulated through a man-in-the-browser type attack. According to IBM X-Force researchers, TrickBot then presents the victim with a security app, seemingly from their bank. The fake app claims that it is needed for secure online banking and presents the victim with a code they must use. This fake app has been designated by the researchers as, TrickMo, and it possesses the following capabilities.

trickmo

Once installed on the target device, the TrickMo app asks for permissions to use Accessibility Services. Doing this, it is then capable of;

trickmo operations

While on the device, the malware begins harvesting data and sending it on to the C&C server. According to the IBM X-Force team, this information includes

trickmo data

This data constitutes the phone’s fingerprints. Banking may use this information to verify that an account is being accessed through a device that it is familiar with. These are often termed ‘trusted devices’. Attackers could use this data to emulate a trusted device and access the banking site themselves. Importantly, they are in a position to intercept any SMS/text messages containing a 2FA password and send it immediately on to the C&C server.

The fact that TrickMo gains control of all SMS communications means that the attackers have first access to any OTPs from the bank, even if a password is required for a money transfer.

TrickMo is programmed not to run all the time. It will activate when the screen is turned on or a new SMS message is received. This prevents it from being removed during a system reboot.

As mentioned in the more traditional 2FA banking hacks, the attackers need to buy time when they finally access the victim’s bank account. TrickMo has a way around this. They activate the lockdown screen which makes it impossible for the victim to navigate. One technique uses a transparent window with a fake loading cursor. Because of the persistence built into the malware, even a reboot doesn’t remove the “stuck” screen.

TrickMo also has a kill switch through which it can uninstall itself after it completes its mission. Unfortunately for TrickMo, this is where the IBM X-Force Team found its vulnerability. The attackers appeared to have hard coded an SMS message that will initiate the kill function. In fact, if you believe you have been infected with TrickMo, you can kill it by sending yourself the following SMS message.

HrLbpr3x/htAVnAgYepBuH2xmFDb68TYTt7FwGn0ddGlQJv/h

 For the moment, however, you probably don’t need to worry about TrickMo unless you live in Germany. It appears that the attackers are testing it out here. But this is no reason to be complacent. When the attackers feel they have perfected TrickMo, they are likely to release it on unsuspecting victims around the world. If you live in any of the countries normally targeted by Trickbot,

map

it might be a good idea to be a little more careful when you use your Android smartphone to do some banking. Do not download any app that appears to come from your bank unless you thoroughly check it out. Better yet, consider giving up on smartphone banking entirely

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s