Protecting against the BankBot Android banking malware using RASP

Frederik Mennes,

Earlier this month the Dutch company Securify came across a new sample of the BankBot Android mobile banking malware. While older samples of BankBot mainly targeted Russian financial institutions, the latest sample shows that BankBot now targets European and American banks as well. More specifically BankBot now targets over 420 leading banks in countries such as Germany, France, Austria, the Netherlands, Turkey and the United States.

VASCO’s Threat Research analysts Ludovic Joly and Ernesto Corral set out to understand how BankBot attacks mobile banking apps, and to verify whether VASCO’s Runtime Application Self-Protection (RASP) technology protects mobile banking apps against BankBot.

How does BankBot steal your credentials?

BankBot is a banking Trojan that poses as an apparently benign application, such as WhatsApp or Runtastic. When the application is installed and run, it asks for administrative privileges. Once these privileges are granted, the icon disappears from the home screen. From that moment, the device is compromised.

BankBot subsequently tries to steal your banking credentials (e.g. username and PIN) and credit card information using a well-known technique called overlay. This means the malware creates a window that mimics the look-and-feel of the targeted mobile banking app, and that aims to trick users into entering their credentials. This overlay window is positioned on top of the target app when the user launches it. As the overlay window is created to look exactly like the target app, users usually believes they are interacting with the genuine mobile banking app.

Protecting against the BankBot Android banking malware using RASP

Figure 1: Examples of overlays used by BankBot (source: Securify)

BankBot’s process for creating and displaying an overlay is as follows. First, BankBot obtains the list of processes running on the device. The comments in the code have been added by our Threat Analyst Ernesto Corral to simplify reading.

Protecting against the BankBot Android banking malware using RASP

Next, BankBot obtains the actual names of the running processes using following command:

Protecting against the BankBot Android banking malware using RASP

Subsequently BankBot compares these names against a list of names of mobile banking apps that it targets. Some examples of apps currently targeted by BankBot are:

Protecting against the BankBot Android banking malware using RASP

If the name of a running process matches a name in the target list, BankBot finally creates an overlay and positions it on top of the target app.

Protecting against the BankBot Android banking malware using RASP

The overlay itself consists of a customized WebView, which is an Android component that can be used to show a webpage within an app:

Protecting against the BankBot Android banking malware using RASP

The BankBot Trojan downloads the content for the WebView on-the-fly from the C2 server, and displays it within a WebView component of its app.

Protecting against BankBot’s overlay attacks

In order to defend mobile banking apps against overlay attacks, we recommend that they are protected using two techniques, namely Runtime Application Self-Protection (RASP) technology and two-factor authentication functionality.

RASP, which is a term coined by Gartner, protects mobile apps against application-level intrusions, such as overlay attacks. RASP solutions interfere with the banking Trojan’s process to create and display overlays. It is important that financial institutions choose a RASP solution that provides generic overlay protection. This means the RASP solution should not provide protection against specific malware samples (e.g. the latest BankBot sample), but rather against multiple malware families, such as BankBot, svpeng and Marcher. Marcher is one of the most active banking malware families of 2016 according to Kaspersky’s report Financial Cyberthreats in 2016. Good RASP solutions can be generic because our analysis has shown that many malware families use similar techniques to create overlays.

Two-factor authentication technology, on the other hand, ensures that banking credentials stolen via an overlay attack are of little value to a fraudster. Apps protected in this way use two different authentication elements: something the user knows (e.g. the PIN), but also something the user has (i.e. a cryptographic key stored on the mobile device, which is used to generate one-time passwords). While overlay attacks can be used to target the knowledge factor, they cannot attack the possession factor to steal the cryptographic key.

Conclusions

Our Threat Research Labs have analyzed the inner working of malware such as BankBot and Marcher. From this we have learnt that many Android mobile banking malware families use a similar approach to create overlay windows. After testing in our lab, we can say that our RASP technology offers protection against multiple malware families that use this approach. Furthermore the two-factor authentication functionality of DIGIPASS for Apps ensures that even successful overlay attacks can be defended against.

Missing media item.

Frederik leads OneSpan's Security Competence Center, where he is responsible for the security aspects of OneSpan's products and infrastructure. He has an in-depth knowledge of authentication, identity management, regulatory and security technologies for cloud and mobile applications.