6 Scary Tactics Used in Mobile App Attacks

Mobile app attacks have been going on for many years, but the threat is rapidly evolving as more sophisticated malware families with novel features enter the scene.

Mobile platforms are increasingly under threat as criminal and nation-state actors look for new ways to install malicious implants with advanced capabilities on iPhone and Android devices.

Although mobile attacks have been an ongoing problem for many years, the threat is rapidly evolving as more sophisticated malware families with novel features enter the scene.

Attackers are now actively deploying malware with full remote access capabilities, modular design, and, in some cases, worm-like characteristics that can pose significant threats to users and the companies they work for. Many of these malware families are continually improving through regular development updates, and cybercriminals are getting better at beating the review process of official app stores. Meanwhile, both the US and EU are considering new antitrust regulations that could make “sideloading” apps a consumer right.

It is important for businesses to recognize that mobile attacks are a key focus area for sophisticated threat actors. These attacks will continue to evolve as new tools and tactics emerge, posing unique challenges to traditional corporate security.

Here are six mobile malware tactics that companies need to prepare for:

1. On-Device Fraud
One of the most concerning new mobile app malware advancements is the ability to carry out fraudulent actions directly from the victim’s device. Known as on-device fraud (ODF), this advanced capability has been detected in recent mobile banking Trojans, most notably OctoTeaBot, Vultur, and Escobar. In Octo’s case, the malware exploited Android’s MediaProjection service (to enable screen sharing) and Accessibility Service (to perform actions on the device remotely). This hands-on remote access feature has also been enabled through implementation of VNC Viewer, as in the case of Escobar and Vultur.

ODF marks a significant turning point for mobile app attacks, which have largely focused on overlay-based credential theft and other types of data exfiltration. Although most ODF Trojans are primarily focused on financial theft, these modules could be adapted to target other types of accounts and communications tools used by businesses, such as Slack, Teams, and Google Docs.

2. Phone Call Redirection
Another troubling capability is the interception of legitimate phone calls, which recently emerged in the Fakecalls banking Trojan.

In this attack, the malware can break the connection of a user-initiated call without the caller’s knowledge and redirect the call to another number under the attacker’s control. Since the call screen continues to show the legitimate phone number, the victim has no way of knowing they have been diverted to a fake call service. The malware achieves this by securing call handling permission during the app installation.

3. Notification Direct Reply Abuse
In February, FluBot spyware (Version 5.4) introduced the novel capability of abusing Android’s Notification Direct Reply feature, which allows the malware to intercept and directly reply to push notifications in the applications it targets. This feature has since been discovered in other mobile malware, including Medusa and Sharkbot.

This unique capability allows the malware to sign fraudulent financial transactions, intercept two-factor authentication codes, and modify push notifications. However, this feature can also be used to spread the malware in a worm-like manner to the victim’s contacts by sending automated malicious responses to social application notifications (such as WhatsApp and Facebook Messenger), a tactic known as “push message phishing.”

4. Domain Generation Algorithm
The Sharkbot banking Trojan is also notable for another feature: domain generation algorithm (DGA), which it uses to avoid detection. As with other conventional malware with DGA, the mobile malware constantly creates new domain names and IP addresses for its command-and-control (C2) servers, which makes it difficult for security teams to detect and block the malware. Read more: https://bit.ly/3lu9GmI

You can also read this: Italian Police Foil Pro-Russia Attacks on Eurovision

Leave a Reply

Your email address will not be published. Required fields are marked *