When it comes to banking transactions, more and more people rely on their smartphones to transfer money quickly and easily while on the move. Competition for young customers is particularly strong in the banking and finance sector, resulting in users initiating and managing their transactions even more easily. Cybercriminals have also realised that they need to focus on smartphones. Especially since they are often far less secure than computers. After all, it is very easy for users to unwittingly download an app that contains a remote access trojan (RAT). And this can end up costing them dearly. To learn how this malware attacks your mobile banking or crypto wallet app – and how you can protect yourself – read on.
The concept of a remote access trojan is not new. After all, this malware is simply a subcategory of trojans. This malware steals information from infected systems or allows cybercriminals to control a computer remotely – much like the TeamViewer software. Unlike this popular support program, the user is unaware that another person has gained control over the terminal device.
A RAT also has different functions. Certain malicious programs only target passwords, account data or other sensitive data, which are then passed to cybercriminals. Another type of attack is when the trojan mirrors the victim's screen, allowing the hacker to track the movements and actions of their victim in real-time. Here too, the intention is usually to steal passwords and banking details.
Since more and more people are using their smartphones to manage their banking and crypto transactions, the number of RAT-based attacks against these types of terminal devices has increased dramatically. These attacks often begin with sophisticated social-engineering attacks aiming to persuade users to install the malware on their terminal unit. These commonly used methods are not just limited to phishing e-mails or text messages. In many cases, trojans are concealed within fake apps. These are downloaded from an official app store and open the floodgates to hackers.
Another approach is the HTML overlay attack. This is where cybercriminals replicate the page of an online banking app or crypto platform and overlay it over the real web page. They can then easily capture data with the help of keylogging.
In most cases, users are completely unaware of the attacks when they use their banking apps or wallets.
RAT: the danger posed by fake apps
Remote-access trojans are considered extremely dangerous. Attacks are usually launched covertly because hackers want to remain undetected for as long as possible. This lets them exploit the data they have stolen for their own purposes without being disturbed.
Moreover, the malware gives criminals access to wide-ranging authorisations on smartphones. In many cases, hackers can control the device fully and inflict highly centralised damage. For the victim, any passwords saved on the terminal unit are no longer secure.
Since this type of malware is often very difficult to uncover and remains unnoticed, it can easily get past common antivirus systems or firewalls. Hackers often lurk in the system for weeks or months before they strike. Added to this is that the malware can often only be removed with great difficulty.
Beware of sharks and tea
Up to now, people have relied mainly on standard antivirus technologies to detect malware – especially on smartphones. These systems search for names of suspicious files and regularly monitor apps and their hashes for malware. However, this approach is rapidly becoming ineffective because hackers have developed their programs further.
Right now, the banking trojan SharkBot is wreaking havoc. First discovered a few months ago, it spread unnoticed using the fake antivirus apps Kulhavy Mobile Security and Mister Phone Cleaner, which are available on the Google Play Store. The apps were downloaded more than 60,000 times. Most worryingly, Google initially failed to detect the trojan because the malicious code was not even contained in the app. It is only downloaded later as part of an update. When a user logs into their bank account, the malware steals session cookies and sends them to a command-and-control server. At the same time, the malicious application allows the criminals using it to take control of the smartphone and intercept SMS messages. This also allows them to get around OTPs (one-time passwords).
Another notorious banking trojan is 'TeaBot', also known as 'Anatsa', which targets a growing number of apps. First uncovered in 2021, this malware has many functions that allow it to spy on login details and initiate HTML overlay attacks and take complete control of the smartphone. TeaBot has spread worldwide and currently ranks among the top ten banking trojans.
Both trojans can inflict severe financial pain on victims if criminals gain access to login and account details and initiate money transfers without being noticed.
Measures to block remote access trojans
The usual security methods still play a vital role here. In other words, users should be extremely careful about opening emails that seem suspicious or untrustworthy, even if they appear to come from a known sender.
Apps should only be downloaded from known platforms – but even then, it's worth a second glance. If confronted by a fake app of a known brand, you will often notice that the logo differs from the original or that the brand name is spelled incorrectly. Reviews and ratings also provide useful clues as to whether this is a fake app. The more reviews there are, the more likely it is that you are dealing with a genuine application. Likewise, we strongly recommend checking the access rights that the app requires and the scope of these rights.
To ensure even more effective protection against nasty surprises, we recommend implementing multi-factor authentication (MFA) as a security mechanism that is based on multiple levels. Biometric processes can be used to streamline the authentication process. After all, facial or fingerprint scans present an additional hurdle for hackers and will help keep your account or wallet secure.