Cleafy researchers disclosed a new Android trojan TeaBot, that allows “live streaming of the device screen (on demand) and also interacts with it via Accessibility Services”. The malware, first seen in attacks against Italian banks, is now hitting banks in Belgium & the Netherlands. TeaBot uses overlay attacks, interception of SMS messages, keylogging, and other exploits to steal victim’s credentials and SMS messages for enabling fraud scenarios against a predefined list of banks (more than 60 targeted banks were extracted).
<p>TeaBot and other Android-based trojans have the potential of stealing user credentials and wreaking havoc with account takeover fraud and identity theft within the banking system. While currently these Trojans appear to be localized within certain European countries for the time being, such attacks can quickly spread regionally and across the globe. As compromised login credentials can be used in conjunction with biographic information that is easy to socially engineer these days, a mobile-only problem can quickly spread cross channel across online and traditional contact center channels and overwhelm the bank’s fraud team. </p> <p> </p> <p>Financial Services and insurance companies should move away from homegrown frameworks and urgently adopt modern strong authentication methods and remove the legacy dependence on passwords. Push notification from a bank application using certificates exchanged with the smartphone can be a lot more secure than a username / password combination along with a One Time Passcode (OTP) that’s transmitted over SMS. An authentication hub can be used by consumers based on risk profile along with a variety of non-password based modern authentication methods like phone as a token, device coupled with native or proprietary biometrics, and/or FIDO2 security keys. </p> <p> </p> <p>Finally, conditional access can be either granted or revoked based on user behavior or geofencing, which adds a layer of continuous authentication and protection as a safety net against a compromised authentication factor.</p>
<p>User credentials and SMSs are often the two factors needed to gain access to user accounts in sensitive mobile applications such as banking apps. The fact that they can be relatively easily intercepted should immediately cause enterprises to add further checks on the apps and their runtime environment before accepting API transactions requests. Specifically, authentication that the API requests come from a genuine app instance is needed and verification that the app is not running on an emulator or within a faked or compromised runtime. Only then can exploits that rely on scripts utilizing phished credentials and SMSs be prevented.</p>