June 8, 2020 by Tim
Edit June 11, 2020: Wow, I was ahead of the game on this one! Just today, the federal Internet Crime Complaint Center (IC3) release an alert on mobile banking apps. Read that here.
Until recently, I thought mobile banking apps were one of the crowning achievements of the smartphone era. With my bank app, I could deposit checks and watch my account balance without having to drive to the bank. What convenience! And unlike other smartphone innovations, like social media, there didn’t seem to be any downside. At a time when so many digital advances seem to bring as many negatives as positives, I felt I had found an unequivocal benefit of mobile devices.
Well, not so fast. As I began my career in IT and began to study computer security, I grew nervous about mobile banking. No system can be 100% secure, I realized, and mobile devices seemed especially vulnerable. Still, I continued to use my bank app because it was just so convenient.
Now, a new article by Steve Mierzejewski at WorkPlaceTablet.com has renewed my fears. A new variety of mobile malware called TrickMo is now hard at work exploiting users’ bank accounts through their smartphones.
TrickMo is an updated version of Trickbot , a trojan that first appeared on PCs in 2016. To understand why TrickMo is so dangerous, it’s necessary to understand what Multi-Factor Authentication (a.k.a. Two-Factor Authentication) is. Multi-factor authentication means that in addition to entering a password, a user also needs to provide a second factor to sign into an account. The second factor is usually a one-time passcode (OTP) that is send via text message or through a special app. Many websites now require two-factor authentication, including those of most banks.
TrickMo disguises itself as a legitimate app and tricks the user into installing it on his or her device. TrickMo is then able to defeat two-factor authentication by reading the sign-in code from the phone’s text messages.
However, security personnel have recently begun to shift away from text-message codes, which can be easily exploited (by a malicious app, by stealing someone’s phone, or by tricking the person’s carrier into issuing a replacement SIM card for the target number). One replacement for text-messages is pushTan, which uses special app notifications to send the OTP.
This is where things start to get hairy with TrickMo. TrickMo is now capable of defeating PushTan via an exploit that allows it to record what appears on the device screen.
So, Is Mobile Banking Still Safe?
Before you freak out and delete your mobile banking app, there’s a couple things you should know about TrickMo. First, so far it’s mainly targeted users in Germany, though it will probably become prevalent in the US soon. Second, TrickMo currently only affects Android phones. While I personally prefer Android to Apple’s iPhone, I have to swallow my pride here and admit that iPhones can be more secure than Android. This is because to install an app on an iPhone (except those that are jailbroken), the app must be approved and listed in the Apple App Store. On Android, however, it is possible to install non-approved apps from third party sources. Even the official Google Play store has a poor reputation for verifying listed apps. All this makes it less likely that iPhones will be exploited by threats like TrickMo, though it’s definitely still possible.
Let’s not forget about traditional websites you access from a computer, either. While smartphones are especially vulnerable (because multi-factor authentication codes arrive on the same device that’s used to access the bank app), desktop and laptop PCs are still vulnerable. Man-in-the-browser attacks are especially popular for exploiting bank accounts. This type of attack relies on a malicious browser extensions (a.k.a add-ons), which are small helper programs that are added to an Internet browser. Examples of (legitimate) extensions are the Amazon Assistant or ad-blockers that many people use in Google Chrome and other browsers.
Overall, I’d like to tell everyone to avoid mobile banking and just visit the physical bank branch, but that’s not realistic. Especially with COVID-19 still spreading, telling people to spend more time touching the buttons on the ATM seems irresponsible!
So, what can you do to stay safe when banking from a smartphone or computer?
I still think mobile banking is one of the best things about smartphones. However, it’s important to be very cautious when banking from a mobile device or computer, especially as new sophisticated threats like TrickMo appear. And remember this rule of thumb: the more convenient something is, the less secure it probably makes you.
