Report says Australia is an easy target for bank app trojans…Australian banks with poor privacy protections! Quelle surprise!

June 13, 2022 |

The Australian reports breathlessly with Australia an ‘easy target’ for bank app trojans that Australian banks are vulnerable to malware with 13 of 34 apps being targeted by a variety of banking trojans. Given Australian financial institutions spotty records when it comes to data breaches this story hardly deserves the column inches it gets.  In April last year NAB repaid customers $687,000 for a data breach.  In August 2019 hackers breached tens of thousands of Australian banking accounts through PayID.  In May 2018 the Commonwealth Bank of Australia lost the personal financial histories of 12 million customers.  And being a bank it decided that its customers did not need to know.  The information was contained in magnetic tapes which, of course, were not encrypted. 

So the most recent Australian story is worth a run but hardly a novel turn of events. The criticisms in the article about inadequate infrastructure, ineffective consumer protection laws and a poor mindset have applied for many years.  There is no incentive to change.  The consequences of a data breach are embarrassment, sitting across the table from the Information Commissioner for a few hours and compensation for those account holders who lost money through fraud.  That is small change compared to what banks should be doing to properly maintain a satisfactory cyber security system.  Governments of whatever stripe have not seen any point legislating real protections and resourcing and staffing the regulator’s office with people who will take serious action against malefactors. In the United States the Federal Trade Commission would impose a multi million dollar penalty on banks with banking apps prone to a trojan attack and impose a 10 – 20 year enforceable undertaking involving constant reviewing of their systems. 

The article provides:

Australia is the fourth most targeted country in the world for mobile banking app malware, with 34 of the nation’s banking apps under attack from malicious backdoor programs known as trojans, according to a new report.

Of these 34 apps, 13 are being targeted by three or more banking trojans, putting users at higher risk of having their financial information stolen, the research from mobile security company Zimperium shows.

Australia’s subpar hardwired infrastructure and high mobile device use, alongside a lack of consumer protection, made it an easier target, said the report’s author, Zimperium director of threat reporting, Richard Melick.

“(Australia’s) physical hardwired infrastructure is horrendous – it is slow and outdated. So per capita, your residents use their mobile devices more than most other developed countries,” Mr Melick told The Australian.

“On top of that, there’s not a lot of Australian consumer protection when it comes to how some of this malware spreads … Telstra and other organisations are looking into protections, but for now, it’s almost like it’s an easy target.”

While Australia sits in fourth place, ahead of it is the US, with 121 banking apps under attack, followed by the UK’s 55 apps and Italy’s 43.

Three of the nation’s big four banks – Commonwealth Bank, Westpac and ANZ – are each under attack from four sophisticated trojans, including malware Cabassous and Coper, that are unknowingly downloaded by Android users from the Google Play Store.

A number of other financial institutions are being targeted by the same trojans, including Bank of Queensland and Bendigo and Adelaide Bank. But the nation’s third largest lender, National Australia Bank, does not appear on the list at all.

There are two styles of banking trojans targeting global mobile banking users, according to Zimperium.

The first is part of a larger attack chain that seeks to get access to banking credentials and data, as well as security controls like multifactor authentication.

The second uses screen scrapers and keyloggers along with data input capabilities to steal money directly through an app once a user logs in.

Trojan Cabassous, discovered in early 2021, with a later variant named FluBot, spread via deceptive SMS messages, and has targeted 15 banks globally, including CBA, Westpac and ANZ.

The Cabassous SMS messages were crafted to make it look like they came from FedEx, DHL, or some other delivery service, with the message requesting the recipient download an app to track their package.

Using the overlay attack technique, the trojan would then prompt users to enter their login credentials to gain control of their financial information.

Europol this month announced that it had taken down the FluBot malware operation.

A second trojan, Coper, disables Google Play Protect and installs additional malicious apps onto a device. Coper was discovered in July 2021 and targets 40 financial apps, including CBA, ANZ and ING Australia.

Once launched, the app gains a range of permissions, including admin privileges, sending and intercepting SMS messages and uninstalling applications, Mr Melick wrote in the report.

“We’re seeing more advanced banking trojans out there now; this is just the tip of the iceberg,” he warned.

“Some of the more advanced banking trojans that we’re seeing are targeting devices and going as far as stealing people’s money and then wiping their phones to cover their tracks. This malware is getting more aggressive and more advanced.”

Putting the onus back onto banks, Mr Melick said institutions needed to do their due diligence to protect customers.

“They have turned our mobile phones into mobile ATMs, but there’s more security around the ATM on the side of the street than there is on the application on your phone.

“Our analysis of mobile applications found that around 80 per cent of financial applications are actually leaking, or potentially leaking, critical user information because (banks) are not approaching them with a security mindset.”

The story provides:

 

 

Leave a Reply





Verified by MonsterInsights