Late last week researchers at Symantec warned of a new variant of the Fakebank Android malware family that has an unusual twist. Once installed the malware will intercept mobile calls you attempt to make to your bank, and instead direct them to a scammer impersonating an agent working for the bank. Furthermore, the malware will intercept calls from the *scammers*, and display a fake caller ID to make it appear as though the call is really from the legitimate bank. IT security experts commented below.
Frederik Mennes, Senior Manager for Market and Security Strategy at VASCO:
“Banks can protect themselves against “vishing” (voice phishing) attacks by educating users, for example explaining that they shouldn’t install apps from unofficial stores, and requesting they review app privileges. However this approach fails if the user makes a mistake. A stronger and better approach to protect against vishing consists of implementing transaction authentication, whereby the user must generate a valid dynamic authentication code in order to confirm a financial transaction. Fraudsters will have trouble convincing the user to generate and provide a valid authentication code or a fraudulent financial transaction, and hence will be stopped before doing any harm.”
Paul Bischoff, Privacy Advocate at Comparitech.com:
“The Fakebank Android malware could soon be a model adopted by malware makers in parts of the world outside South Korea. Even though the attack uses a fairly novel approach to scam users, Android owners can avoid it using the same best practices used to avoid any other type of malware. First, update Android to the latest stable version. The newest release, Oreo, prevents the caller ID from being spoofed by the malware. Avoid downloading apps and files from unknown sources. Don’t trust apps from third-party app stores, and be wary of links in web pages and emails. It’s also important to review and limit the permissions of apps you install, and install and run antivirus regularly.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.