author photo
By Clare O’Gara
Mon | Jun 15, 2020 | 5:15 AM PDT

It's a common best practice among CISOs trying to get their employees invested in cybersecurity for the corporate network: make things personal.

If you help an employee secure the personal accounts of their family and friends, good cyber practices can become a relevant concern that they learn to take seriously.

Here's another opportunity to help your end-users do that.

Department of Justice alert: rogue banking apps and trojans

If there's one thing we can all agree on, it's that a trip to the bank is one of the least exciting errands of all time—ranking right up there with the DMV.

The coronavirus made visiting the bank impossible for a time, and now reliance on banking apps has soared.

An estimated 75% of Americans used mobile banking in 2019. And research shows this trend accelerated because of COVID-19.

This rise in use comes with a warning now from the Internet Crime Complaint Center (IC3), which is housed within the U.S. Department of Justice (DOJ).

In a special alert, IC3 explained the risks associated with this uptick:

"The FBI expects cyber actors to attempt to exploit new mobile banking customers using a variety of techniques, including app-based banking trojans and fake banking apps."

First, IC3 tackles banking trojans: what are they?

"Cyber actors target banking information using banking trojans, which are malicious programs that disguise themselves as other apps, such as games or tools. When the user launches a legitimate banking app, it triggers the previously downloaded trojan that has been lying dormant on their device."

From there, the trojan can masquerade as the genuine app, gathering your information and compromising your digital safety.

But a banking trojan usually transfers you to the legitimate site afterward to save itself from detection. There are also banking apps that are fake from the get-go:

"Actors also create fraudulent apps designed to impersonate the real apps of major financial institutions, with the intent of tricking users into entering their login credentials. These apps provide an error message after the attempted login and will use smartphone permission requests to obtain and bypass security codes texted to users."

Banking trojans and fake banking app threats

And there are some other ways that these apps become threats. Kacey Clark, threat researcher at Digital Shadows, explains these circumstances:

"During our research, we have observed multiple impersonation apps, which contain dangerous permissions that can give the app access to highly sensitive information or perform invasive actions on the user’s behalf: read and write SMS, authenticate accounts, capture and collect photos, request authentication tokens, process outgoing calls, read contacts, add or remove accounts, etc."

Here's what Clark has to say about fake banking apps:

"In this scenario, users are misled into downloading a fake or impersonating app that uses dangerous permissions. By using a bank's brand imagery and details in the app's description, users commonly ignore an app's requested permissions because they are keen to trust that their download is legitimate. After the user enters their credentials into the app and attempt to log in, the credentials are harvested, and security codes can be bypassed."

And here's more on banking trojans:

"In another scenario, banking trojans can be used as a 'dropper' to install malware onto a user's phone, particularly spyware (aka stalkerware). Once installed on a device, spyware can remain undetected while managing and accessing everything on a victim's device including sensitive information such as the target device's camera and microphone, text messages, passwords, contact lists, stored or typed payment card details, and geo-location."

Cybersecurity and banking apps: best practices

The real question in all this: how does an end-user or employee protect their money and secure their account against these banking threats?

Fortunately, IC3 provides some advice for that:

  1. Obtain apps only from trusted sources
  2. Use two-factor authentication (2FA)
  3. Use strong passwords and good password Security
  4. If a banking app appears suspicious, call the bank

These tips should help your end-users save themselves a trip to the bank while lowering the risk of a cyberattack.