Recently, Promon discovered a new Android banking malware named “FjordPhantom”. They published both an analysis of the mobile malware and a report assessing a sampling of online banking applications that may be vulnerable to this malware. Both of these resources provide us with interesting insight and bring to light important security topics that are worth discussing.
The Promon analysis discusses how the malware spreads, noting that “FjordPhantom spreads primarily through email, SMS, and messaging apps. A user is prompted to download an app that looks like their bank’s own app. In reality, the downloaded app contains the real bank’s Android app, but it is run in a virtual environment with additional components that enable attacks on the app.”
Remember that point about being run in a virtual environment – that is an important one that we will soon return to.
The next phase of the attack involves social engineering. The Promon analysis shares that “After downloading, the user is subjected to a social engineering attack. Typically, this is backed by an attack team in a call center. They purport to be customer service for the bank, guiding the customer through the steps to run the app. The malware enables the attackers to follow the user’s actions, allowing them to either guide the user to perform a transaction or use the process to steal credentials. They can use these credentials for additional attacks.”
What we have here are two different types of social engineering. The first facilitates the malware being installed, while the second facilitates the attackers’ objective – namely to commit fraud by performing transactions that steal money from victims’ bank accounts and/or by stealing credentials. In order to understand how this works, we need to go back to the point about being run in a virtual environment.
On Android, there is a security feature that does not allow apps to see information from other apps, with one exception. That exception is when those apps are running in the same virtual environment – something the FjordPhantom malware exploits. So why does Android allow this functionality?
The Promon analysis explains that “Virtualization solutions allow the installation and running of apps in a virtual container. They have become quite popular on Android in recent years. There are legitimate reasons for using such solutions, and Google accepts them because many of these apps can be downloaded from the Google Play Store. A popular reason for using these solutions is to be able to install the same app multiple times to log into them with different accounts. This is something that is usually not possible on Android.”
Given all this, it is worth taking a step back and realizing what is happening here at a higher level. First, by tricking the user into downloading and installing the malicious app, the attackers avoid certain “tells” that would indicate that the app is being installed in an improper manner. Second, by running in a virtual environment, the malicious app can influence, manipulate, and steal data from the legitimate app without the OS forbidding that. Third, by using out-of-band social engineering for the next phase of the attack, the attackers ensure that the legitimate user and the legitimate device are the ones performing the transactions. This makes it so that the attackers avoid certain “tells” that would tell the online banking application that there is potential fraud and/or abuse going on.
So what does all that mean for us as security professionals? Well, unfortunately for us, it means that we need to combine the angles of client-side and server-side detection in order to have the best chance of mitigating the risk of mobile malware like FjordPhantom and others like it. We need to employ a multi-pronged approach to ensure the greatest chance of defending our businesses. The attackers are constantly innovating and looking for ways around our defenses, and a single point of failure defensively is simply not an option.
Further, Promon’s research and analysis determined that 80% of the 113 top global banking apps they tested were vulnerable to FjordPhantom. Unfortunately, the ability of this malware to evade native client-side Android protections as well as server-side protections is a weak spot for many businesses. Mobile app protection is important for sure. But it is far more powerful when it complements/augments existing application protections and defenses to round out the overall security picture.
As with many topics in security, defense-in-depth improves our ability to mitigate the risk that mobile malware presents to our enterprises. While it may be tempting to consider one angle or one approach when looking to mitigate a given risk, looking at multiple angles often produces better value for the security team and the enterprise. One thing that is worth noting, though, is that threats like FjordPhantom will likely become a regular part of the threat landscape.
