In today’s modern world, the accelerating usage of mobile devices for manipulating, storing, and transporting sensitive corporate or personal data has become inevitable. Advanced technology has already opened up multiple levels of data breaches, which is posing a significant impact on financial industries. For businesses, their app’s security is one of the most important aspects that are often overlooked by developers, which allows cybercriminals to infiltrate their apps. The more effort and money you invest in securing your business’s apps, the safer your organization will be!
One of the biggest threats for android apps is mobile overlay attacks. The “Mobile Overlay Attack” is a new attack vector that abuses legitimate mobile apps to target the mobile OS and apps by abusing overlays/dialogs or display ads, leading to harmful behavior. An overlay attack (also known as Clickjacking or Screen Overlay Attack) depends on multiple opaque or transparent layers to trick a consumer into interacting with a window, link, button or another UI element. A malware or suspicious window controlled by the attacker covers the original window. So when the consumer interacts with or clicks on the element, they’re actually interacting with the malicious element, which will be secretly performing an action to serve the attacker’s purpose. To make the attack more effective and believable, hackers often use social engineering techniques, fake apps and malware in combination with mobile overlay attacks.
Mobile overlay attacks are also termed as super-invasive attacks due to the capability of malicious actors to control all mobile OS functionalities from displaying dialogs to forcing uninstallation of legitimate apps. In addition, these attacks will generate revenue for the malicious actors.
In finance and banking apps, the attacker’s most common overlay technique is creating a fake copy of the app’s UI and covering the user’s screen with it. The prime aim of this overlay attack is often gaining access to user’s information such as security questions, app secrets, API keys, usernames/passwords, ATM pin codes, credit card info, account numbers, etc.
One of the most commonly used techniques to harvest data is the availability of a Fake Bank Certificate App/Apk, which can be downloaded from a third-party site. Using a fake certificate allows attackers to set up a fake banking portal and harvest credentials without raising suspicion, as users assume they are visiting the official bank’s website.
Cybercriminals might also use overlay attacks to build a backdoor for themselves to deliver malware to the device later. For instance, the Android OS setting allows its users to install applications outside of Google Play Store, which can be highly unsafe. As part of the mobile overlay attack, the attacker tricks the user into enabling Allow Installing from Unknown Sources to deliver malware or virus onto the device.
Cybercriminals also use mobile overlay attacks to trick users into enabling administrative privileges that allow the attacker to control the Android app remotely. For instance, when the hacker tricks the consumer into enabling Android Accessibility Services (the privileges that are designed to help Android users with disabilities, for example, touch events, speech to text, screen readers, etc.), they gain the highest level of privileges. Hackers then use these privileges to perform click actions such as reading and writing emails and SMS, committing click fraud, stealing cryptocurrency keys, accessing two-factor authentication codes, controlling apps or mobile devices, etc.
Southeast Asia is facing the highest number of mobile banking frauds globally. Data shows that 70% of 2.3 million frauds globally in 2017 were reported from Southeast Asia, with Indonesia experiencing the highest fraud loss at $188 million. Further, according to Kaspersky Lab’s data, Asian countries occupy six out of the top 10 positions on the list of countries with the most infections by banking Trojan-SMS apps.
Southeast Asian banking apps, such as Bank Negara Malaysia (Malaysia), BDO Bank (Philippines), and Siam Commercial Bank (Thailand) have recently been victims to overlay attacks, having experienced not one, but multiple attacks over the last 3 years alone. The most heavily targeted banks were those from the Philippines, with over 40% of all infections located there. Almost one-third of users who downloaded fake apps from Google Play were from the US. However, the majority of those affected globally were located in Malaysia and Indonesia — two countries where banking Trojans have been particularly prevalent for several years now.
Critically, Mobile banking customers’ security has never been at risk like it is today. The combination of the mobile devices’ screen lock and password, Android’s accessibility features, and many mobile banking apps’ poor mobile security implementation creates a perfect storm for attackers to exploit and steal money from an unknown user.
The very first step to protect Android apps from overlay attacks is to avoid downloading any app outside Google Play Store. Moreover, always verify the app’s permissions because sometimes attackers are able to go through the Google Play Store’s safety net. Therefore, ensure that the required permissions are relevant to the app’s purpose. Finally, avoid clicking on any suspicious link in emails, even if it’s coming from trusted sources.
The rise of overlay attacks has significantly increased the requirement of multi-layer protection since two-factor authentication is not sufficient to protect the apps. A more sophisticated approach is needed to secure Business-critical mobile applications. From identifying whether the app is trying to mimic a genuine functionality or perform malicious activity, to encrypting key code lines and program functions, and finally having in place a threat monitoring solution that exponentially increases the security posture against any irregularity.
By conducting a quick security testing prior to the initial launch and distribution of the mobile app, mobile app developers can prevent the source of malware infection. The mobile apps security testing should focus on three important aspects of the mobile application, i.e., the mobile application’s structure, the mobile application code and its interaction with different components.
One of the most important aspects for mobile app developers is the need to carry out a comprehensive security test that may reveal the vulnerabilities in the app prior to its launch.
The whole purpose of the security test is to discover and fix any vulnerabilities in the mobile app. This may include testing for any sensitive data leaks, attack vectors, and other exploits, providing an increased assurance that your app is ready for its users. Sensitive data refers to any kind of information that should be kept private and not disclosed to third parties or other entities. Such data includes any information which could compromise the security of the application, such as passwords, banking details, social security numbers, etc.
Also, while the security testing will only verify a small portion of all possible vulnerabilities, it can be a great starting point if done correctly. Once you know which parts of the app are vulnerable, you can add additional tests to cover more ground.
One of the key ways of preventing mobile overlay attacks is to integrate runtime protection, such as address space layout randomization (ASLR) and data execution prevention (DEP), into the mobile apps themselves. DEP can mitigate vulnerabilities in two ways: It can prevent shellcode from being executed by marking memory pages containing code as non-executable, and it can prevent shellcode that already has been loaded into memory from executing by marking the memory regions containing the shellcode as non-executable. Having in place an effective security policy and automated attack mitigation that is able to detect malware on the fly effectively prevents malicious apps from executing their intended behavior.
One of the latest in security innovations is the inclusion of RASP (Runtime Application Self-Protection) technology. This is best suited for financial applications as it adds multi-layered protection by integrating security into the apps. Therefore, an attacker would now have to breach through different layers of security that are more complex to break down. Besides that, RASP detects behavior instead of specific codes, giving it a higher ability to block overlay attacks.
Cyber-attacks on Android apps have devastating consequences. User information can be stolen, and their privacy can be compromised, putting businesses at risk of bad publicity and regulatory compliance violations. In addition, financial fraud can result in lost revenue, which ultimately brings the loss of shareholder and customer trust. If the cyber-attack goes on for long enough, a business could lose brand reputation and sustain irreversible damage. Here the role of in-app protection comes in.
In-app protection includes a set of shared tools with the developers to help them quickly integrate authentication functionality and security into the Android apps. In addition, in-app protection must apply binary code protection using a layered approach using shielding, tamper-proofing, root detection, encryption and obfuscation to make the apps more complicated for machines and people to exploit.
In-app protection detects Man-in-the-Middle attacks and network connections manipulations. Using this data, your business app must identify SSL stripping, MiTM attempts to proxy or decrypt the app’s traffic and immediately produce threat forensics.
Multiple types of malware can be detected by in-app protection. Several remote access tools and malware samples, RATs, like Monokle, Bankbot, Cerebus and Anubis, have appeared on multiple mobile devices. This is the new emerging trend as companies are pushing more services and convenience to mobile devices. Most of these RATs monitor notifications, password entries and clipboards to gather additional information about the consumer and credentials.
Many conditions have significantly increased the risk of mobile endpoint’s exposure. Now users choose when to update the OS to patch known vulnerabilities, have a strong PIN code or jailbreak their mobile device. In-app protection provides you visibility into the risk of using mobile apps and how you can enforce conditional access based on measurable risks.
Businesses should understand that mobile app security isn’t essential only for customer’s private data, but it impacts the overall brand’s reputation. Furthermore, with the increasing data breaches and hacking attempts, users are highly aware of app security issues and use more secure apps than those that can confiscate their sensitive information. Therefore, your business applications should satisfy the user’s needs and must provide robust security to users.
This article was first published on MEDIUM on 3rd November 2021.