Recent studies done by IBM (1), Symantec (2), Fireeye (3) on overlay malware such as Bial Bot, GM Bot, Cron Bot, KNL Bot and SlemBunk conclude that they are very cheap to buy on the black market and very simple to implement from a technical viewpoint.  These factors combined with the powerful capability to manipulate users into verifying false and fraudulent payment transactions at a massive scale makes this overlay malware a very serious threat.

This is possible as the malware lets the payment procedure flow as normal, and will only kick in with a look-a-like overlay screen on top of the normal transaction verification page at the right time. The underlying problem is that the malware can easily register as a background service starting on boot with higher privileges than the normal payment app, and from this position continuously monitor all foreground apps, recording and modifying input, then finally kick in with falsified graphics and payment data overlaying the normal transaction verification page produced by the bank/payment service provider.

Even though this vulnerability has been known since 2011 on Android devices, no effective countermeasures have worked, making online and mobile payment especially vulnerable to these types of overlay attacks, ref (4).

So far, all software based defenses, including 2-factor out-of-band authentication have been circumvented. Reactive countermeasures have been demonstrated to be longer and longer behind in the race against the criminals. Everything seems to indicate that the criminals are playing the same game as the anti-virus have faced the last few years, where they have been increasingly outperformed by the criminal’s virus factories year by year, until finally becoming irrelevant as stated by Symantec in 2014, ref (5).


The good news is that there is a rescue solution arriving.

Since the overlay malware has to detect when and how the correct payment verification app is launched, by correlating the foreground app’s package/class name with the target name, the Protectoria Secure Mobile Platform (PSMP) can outperform this type and similar malware by utilizing unpredictability as an active (6) protection mechanism. This is done by literally turning the weapons against the criminals that currently are creating trouble for today’s stable apps, that increasingly face dynamic threats running with higher privileges.  The dynamic and proactive (7) nature of the PSMP makes it practically impossible to prepare for the correlation, as there are no recognizable package/class name or other hooks into the transaction which can be detected as part of the personalized PSMP-app.  The underlying mechanism of this security functionality delivers an extreme level of entropy per transaction, in terms of just-in-time, unpredictable delivery of new code blocks for all parts of the running code.  No names, references, messages, keys or protocols etc. are revealed until required, which efficiently defeats the attacker’s ability to show a fake application overlaying a client application secured by the PSMP suite.

But are there alternative options in the market? There are no cost effective alternatives, but there are two theoretical options:

a)     Deploy dedicated security hardware with embedded screen and keypad to every online user, or

b)     not comply with the Strong Authentication requirement under PSD2, and take all liability for financial fraud.

  6. An active protection mechanism is a mechanism which limits the possibility of an attack.  The opposite – a passive protection mechanism – are the procedures and reaction after an attack has been detected.
  7. A proactive mechanism is a mechanism which anticipate an attack, assume they will happen, and directly try to defeat the attack. The opposite – a reactive protection mechanism – is a mechanism which reacts to an attack, and tries to mitigate the attack damage, while the attack is happening.