Old Techniques,

New Channel
Mobile Malware Adapting PC
Threat Techniques
May 2014

Table of Contents
Introduction 3
PC Threat Techniques Expanding to Mobile

Cross-Channel Attacks Leveraging Mobile 3

Bypassing Out of Band Authentication

Mobile Application Phishing

Mobile Malware

Understanding Mobile Fraud Risk 5

The Trusteer Mobile Risk Engine

Detect High-risk Using Trusteer SDK

Detect High-risk Secure mobile access to online banking using Trusteer

Mobile App (Secure Browser)

Conclusion

IBM Mobile Security Solutions

For More Information 10

About IBM Security Solutions 10

2014 Trusteer, an IBM Company, All rights reserved.

Old Techniques, New Channel | Mobile Malware Adapting PC Threat Techniques

|2

Introduction
As the number of cell phones exceeds the number of people on our planet, businesses are quickly embracing
mobile technology. According to Juniper Research, consumers see the advantage of accessing banking
capabilities from their mobile device, with mobile banking users expected to exceed 1 billion in 2017.1
Banking customers enjoy the flexibility to transact and interact with their financial institution whenever and
wherever they want.
Unfortunately, mobile fraud is also gaining ground as cybercriminals increasingly target this channel. Malicious
code infects more than 11.6 million mobile devices at any given time. 2 End users are falling victim to this
growing mobile attacks.

PC Threat Techniques Expanding to Mobile

Cybercriminals have demonstrated considerable progress in their attacks on the mobile channel. Attacks
have progressed from cross-channel attacks that leverage both the online and mobile channels to
PC-grade malware.

Cross-Channel Attacks Leveraging Mobile

Many mobile account takeover attacks involve both the online and mobile channels. Cybercriminals steal
credentials from a victims PC via malware or phishing and then use this information to commit account
takeover via the mobile channel by leveraging the lack of device identification capabilities.
Mobile banking via a dedicated mobile banking application or through the banks mobile website generally
does not support payments to new payees. Therefore, the value of compromising the mobile channel is often
less lucrative than compromising the online banking account. However, criminals can bypass the mobile
website and connect to the full online banking site via the mobile browser to access all features available in the
banks online banking applicationincluding adding new bill payees.
Cybercriminals access accounts via the mobile channel for one key reason: mobile device ID limitations. One
of the most basic authentication methods used by financial institutions in the online channel is device ID. A
criminal logging in from a new device will sometimes trigger an alert, resulting in increased scrutiny, limited
account access or even a failed login. Mobile devices, and specifically iPhones, have a unique challenge; they
all look the same to a device ID system. When a user browses to a website from his native mobile browser (that
is, an iPhone with a Safari browser), the device characteristics are identical to those on almost all other iPhones:
same hardware, same browser and same fonts. As long as the criminal uses the same device type as the victim,
the criminals login attempt will not trigger any risk indicators and a fraudulent transaction can occur.

2014 Trusteer, an IBM Company, All rights reserved.

Old Techniques, New Channel | Mobile Malware Adapting PC Threat Techniques

|3

Bypassing Out-of-Band Authentication

Many banks, primarily in Europe, use one time passwords (OTP) sent via SMS to the mobile device to
authenticate logins and transactions. Cybercriminals now can bypass this protection by stealing the victims
SMS message traffic, including SMS OTPs, to fully authenticate fraudulent sessions and transactions.
In an example of this type of attack, cybercriminals first convince online users that they need to supply their
mobile phone number to install a newly required security application on their phone. This is accomplished
by a phishing email or by a malware page injection when the victim visits the online banking site. Next,
users are directed to install a fake security application from a link sent via SMS or made available via a QR
code and enter the activation code provided by the malware.
Once installed, the mobile malware captures all SMS traffic, including OTP codes sent by the bank to victims
via SMS, and forwards them to the fraudsters. The criminals can then initiate fraudulent transfers via the
online channel and capture the OTP needed to bypass SMS-based out-of-band authorization systems. In this
example, both the online and mobile channel are targeted by fraudsters.

Mobile Application Phishing

In this attack, mobile users access their application store or market and unknowingly download a fake online
banking application that looks and feels like the real banking application. When users log into the fake
application, they are prompted to enter their personal credentials, including log-in information, personal
information and banking information. In this type of attack, users credentials are collected by fraudster and
leveraged across multiple channels.

Mobile Malware
Mobile devices can be infected when users access malicious or compromised websites with exploit code
that targets mobile browser vulnerabilities, also known as drive-by downloads. In these cases, a malicious
application is downloaded and run transparently so that the user never sees any suspicious activity on
the device.
Recently, an Android banking Trojan called SVPENG was discovered targeting Russian and European
financial institutions. SVPENG represents a significant advancement for mobile malware. This attack directly
targets mobile banking application users by tricking the victim into providing his/her credentials by using a
common PC malware technique called an overlay attack. In this attack, the malware on the infected device
waits for the user to open the banks mobile application. Once the malware identifies that a mobile banking
application session is starting it displays a screen on top of the application (hence the term overlay)
that mimics the look and feel of the banks application, but is in fact, a fake page. This forces the user to

2014 Trusteer, an IBM Company, All rights reserved.

Old Techniques, New Channel | Mobile Malware Adapting PC Threat Techniques

|4

unknowingly interact with the malware generated page, thinking it is the real banks page, and provide the
banking credentials. While this is not an HTML injection, it is a significant jump in mobile malware capabilities
and represents a PC-grade mobile malware.

Figure 1: Example of SVPENG malware

Understanding Mobile Fraud Risk

Because mobility is evolving and traditional PC attack techniques are expanding to the mobile channel
and introducing unique risks, a mobile fraud mitigation approach is essential. The platform must be highly
adaptable to protect against evolving mobile threats in this rapidly expanding channel.

2014 Trusteer, an IBM Company, All rights reserved.

Old Techniques, New Channel | Mobile Malware Adapting PC Threat Techniques

|5

The Trusteer Mobile Risk Engine

Based on the current evolving PC threats expanding to new channels, it is clear that data across both the
mobile and online channels must be considered in order to consistently and accurately identify mobile
risks. The Trusteer Mobile Risk Engine protects the mobile channel by performing a real-time mobile risk
assessment based on device and account risk factors. It enables organizations to mitigate risk by producing
accurate and conclusive recommendations to allow, restrict or deny user access. Organizations can use these
recommendations to apply stepped-up authentication or extended transaction review for high-risk users,
sessions and transactions.
The Trusteer Mobile Risk Engine correlates the following:
Device risk factors: Specific device-level conditions are indicative of the overall likelihood that the device is
sufficiently safe to allow access via either the dedicated banking application or a mobile browser.
Account risk factors: These include specific session and account indicators, such as online malware or
phishing detection, account transaction history, user access patterns and user device-to-account correlation.
When these factors are correlated with device risk factors, effective fraud detection is possible. One simple
illustrative example is correlating an atypical mobile device geolocation (device risk factor) with a recent
online phishing incident (account risk factor), which would be highly indicative of fraud.
Cross-channel correlation: By correlating device and account risk factors with all channel interactions
and transactions, the mobile risk engine can perform at its highest level of accuracy. Protection should be
extended to all mobile banking and payment modalities, including the native mobile banking application
and mobile web access.
The Trusteer Mobile Risk Engine requires device-level data to optimize risk analysis. As in the online channel,
fraud prevention is far more accurate when critical device-level data is incorporated into the fraud analysis
process. Without this data, the risk engine is incapable of accurate fraud identification, leading to missed fraud,
a large number of false positives and unnecessary customer inconvenience.
Device IDs are far more challenging to generate on a mobile device than on a PC because many mobile devices
appear so similar. However, it is possible to generate persistent mobile device identifiers by utilizing on-device
software or an embedded software development kit (SDK), which uniquely identifies the device even across
removal and reinstallation of a mobile application.
Additionally, techniques do exist to uncover sufficient device identifying characteristics to produce an
adequate device ID, especially when other identifying session and account factors are taken into consideration.
Device risk factors may include indicators such as device IDs, geolocation, IP addresses, device times, missing
operating system security patches, jailbroken/rooted device status, risky system configuration settings,
malware infections and use of an unsecured WiFi connection. Device risk data can be used to restrict

2014 Trusteer, an IBM Company, All rights reserved.

Old Techniques, New Channel | Mobile Malware Adapting PC Threat Techniques

|6

functionality based on device risk level; for example, by limiting specific application functionssuch as adding
a payee or transferring moneyon a jailbroken device. Typically, no single device risk factor is conclusively
indicative of fraud, but when multiple device risk factors are correlated with additional account risk factors,
fraud determination becomes far more conclusive.
Device risk factors are an important component of the Trusteer Mobile Risk Engine analysis, and they
also provide device-level protection before such analysis. Again, whether device risk factors are taken
individually or in combination, their analysis may lead a financial institution to deny account access, restrict
account capabilities or require additional authentication. Furthermore, offering end users the option of
self-remediation allows the institution to better protect itself and its customers while providing exemplary
customer support.
Device-level protection or account-level analysis alone is helpful, but correlating these two protection layers is
a very effective way to reliably and accurately identify mobile fraud.

Detect High-risk Using Trusteer SDK

Trusteer Mobile SDK is invoked when the banks mobile application, integrated with the Mobile SDK is
launched to collect various device risk factors. Risk data is provided to the mobile banking application and
can be used to restrict functionality based on the device risk level. The risk data can also be correlated with
additional device and account risk factors, such as malware infections and phishing incidents, to flag high-risk
access and transactions.
Trusteer Mobile SDK can identify a wide range of risk factors, including:
Persistent device IDs
Jailbroken or rooted devices
Malware infections
Missing operating system patches
Use of unsecured wireless connections
Suspicious applications
Application IDs
Hashed User IDs
SIM data
Geo-location data
Root/Jailbreak hiding techniques.

2014 Trusteer, an IBM Company, All rights reserved.

Old Techniques, New Channel | Mobile Malware Adapting PC Threat Techniques

|7

Figure 2: An example of the Trusteer Mobile App (Secure Browser)

displaying malware detected by the integrated Trusteer Mobile SDK.

In addition, the Trusteer Mobile SDK creates a persistent mobile device ID allowing the financial institution
to uniquely identify any device using the native mobile banking application. The persistent device ID is
associated with the users account and uniquely identifies the device, even after the application has been
uninstalled and re-installed. This helps ensure that new devices are identified, login attempts from known
devices are unchallenged, and potential fraudster devices are flagged.

Detect High-risk Secure mobile access to online banking using Trusteer

Mobile App (Secure Browser)
The Trusteer Mobile (Secure Browser) includes a secure mobile browser. End users can use this mobile browser
to safely access online banking websites, and financial institutions can mandate that their online banking
websites are only accessed via Trusteer Mobile (Secure Browser). Whenever a protected website is accessed, a
complete security posture assessment is performed on the device. Trusteer Mobile (Secure Browser) collects
mobile device risk factors and a persistent mobile device ID; it then sends these to the online banking website
and Trusteer Mobile Risk Engine, where they are used for mobile risk assessment.

Figure 3: Trusteer Mobile App (Secure Browser) notifies the user of the device security risks. In this case, the
device has been rooted and malware has been detected.

2014 Trusteer, an IBM Company, All rights reserved.

Old Techniques, New Channel | Mobile Malware Adapting PC Threat Techniques

|8

With the Trusteer Mobile App, users can view their device security status via a dedicated dashboard that alerts
users of their device security risks. Indications of malware infection, unsecure wireless connections and other
security risks are identified. The user can resolve these risks by following step-by-step remediation guidance
provided by the application.

Conclusion
Todays mobile devices lack security to stay ahead of the evolving mobile threat landscape. Cybercriminals will
continue to target the mobile channel with sophisticated attack techniques and new emerging techniques
in the mobile channel, such as targeted mobile application phishing attacks and customized malware. With
the rise of mobile risks and attack techniques, its even more important to have a dynamic, integrated fraud
prevention platform. As fraudsters continue to innovate and extend PC threat techniques to the mobile device,
the ability to quickly recognize changes in fraud risks and rapidly deploy appropriate risk mitigating responses
is absolutely essential to helping to secure the mobile channel.

IBM Mobile Security Solutions

As a technology leader, IBM has created a framework with a comprehensive approach to Mobile Security. This
enables trusted, higher-quality interactions at the device, content, application and transaction level. We have
added to this, an additional layer of protection and visibility through IBMs Security Intelligence.
IBM offers the capabilities that are most requested to address todays mobile challenges:
Device Security: Solutions to manage a diverse set of mobile devices from corporate owned assets to BYOD
and do it all easily from the cloud.
Content Security: Solutions to help secure file and document sharing across devices and SharePoint.
Application Security: Solutions to develop applications with security by design. Protect enterprise data in
both the applications you build and the applications you buy
Transaction Security: Solutions to help protect mobile transactions with customers, business partners, and
temporary workers that are not part of your enterprise mobile management framework
Security Intelligence: A unified architecture for integrating mobile security information and event
management (SIEM), log management, anomaly detection, and configuration and vulnerability
management.

2014 Trusteer, an IBM Company, All rights reserved.

Old Techniques, New Channel | Mobile Malware Adapting PC Threat Techniques

|9

For More Information

To learn more about mobile risk mitigation from Trusteer, an IBM company, please contact your IBM
representative or IBM Business Partner, or visit the following website: ibm.com/security.

About IBM Security Solutions

IBM Security offers one of the most advanced and integrated portfolios of enterprise security products
and services. The portfolio, supported by world-renowned IBM X-Force research and development,
provides security intelligence to help organizations holistically protect their people, infrastructures, data
and applications, offering solutions for identity and access management, database security, application
development, risk management, endpoint management, network security and more. These solutions enable
organizations to effectively manage risk and implement integrated security for mobile, cloud, social media
and other enterprise business architectures. IBM operates one of the worlds broadest security research,
development and delivery organizations, monitors 13 billion security events per day in more than 130
countries, and holds more than 3,000 security patents.
Additionally, IBM Global Financing can help you acquire the software capabilities that your business needs
in the most cost-effective and strategic way possible. Well partner with credit-qualified clients to customize
a financing solution to suit your business and development goals, enable effective cash management, and
improve your total cost of ownership. Fund your critical IT investment and propel your business forward with
IBM Global Financing. For more information, visit: ibm.com/financing

1. http://www.juniperresearch.com/viewpressrelease.php?pr=356
2. http://www.infosecurity-magazine.com/view/36686/mobile-malware-infects-millions-lte-spurs-growth/

2014 Trusteer, an IBM Company, All rights reserved.

Old Techniques, New Channel | Mobile Malware Adapting PC Threat Techniques

| 10

Old Techniques, New Channel | Mobile Malware Adapting PC Threat Techniques, 2014, May, 2014
Trusteer, an IBM Company
545 Boylston Street, 5th Floor
Boston, MA 02116
T: +1 (866) 496-6139
T: +1 (617) 606-7755
trusteer.info@us.ibm.com
trusteer.com

2014 Trusteer, an IBM Company, All rights reserved.

Old Techniques, New Channel | Mobile Malware Adapting PC Threat Techniques