It might come as a surprise to those who follow computer security news that the security vulnerabilities that get the most attention in the media, such as Stagefright, Quadrooter and the Trident iOS exploits, are, in fact, rarely used for banking fraud.
What they do is give an attacker so-called root or superuser level access, where the malware has the same level of access to the operating system as the apps installed by the phone vendor. That way, malware can modify other running applications, read all files, and access all communication as it happens on the device. Malware requiring root access has so far been used mostly for surveillance purposes , for showing ads to the user, and as ransomware.
The reason root access is not often used in banking malware is simple: While banking fraud is very lucrative, there are too many other ways of tricking users without requiring root access. Now, however, this situation is about to change. In February, the first malware utilizing root access was found by Kaspersky Lab, and their findings have recently been written up on Securelist. The malware known as Tordow (Trojan-Banker.AndroidOS.Tordow.a) uses modified versions of popular software, such as Pokemon Go, as a transmission vector. Once the infected application is installed on the device, the malware has access to all the “normal” non-superuser operations such as reading and deleting text messages, making and blocking calls, downloading and installing applications.
What is new about Tordow is that it also exploits known vulnerabilities to obtain root access. It can then use it in order to install modules to the System folder, which makes it impossible for the user to remove, or to hijack the databases of the Android and Chrome browsers. The last point is particularly interesting, as the databases contain any stored logins and passwords, browsing history, cookies, and sometimes even saved bank card details.
Simply stealing a web browser’s database is, of course, a trivial example of what superuser level malware can do. A more relevant type of attack is the banking software attack described by Haypert and Muller in their paper “(In)Security of App-based TAN Methods in Online Banking”. They show how by using super user access they can modify what is shown on the screen and returned back to the banking server, successfully tricking the user into authorizing fraudulent transactions.
According to Trend Micro there is already malware out there that can gain superuser access on 90% of devices. Reports released this summer found that the “Godless” malware had already infected 850 000 devices. If you do not believe that your device is vulnerable to this type of attacks, it might be enlightening to check for just a single class of vulnerabilities with the Stagefright Detector available on the Play Store.
It is only a matter of time before malware producers become aware of the possibilities offered by superuser access. Once they do, gaining it will become the first priority. How does the PSMP suite approach this threat? First of all, we do not believe it is possible to protect against malware using some form of anti-virus-like software, or that smartphone vendors will at any point in the future be able to develop a truly secure operating system.
We do this by creating a secure environment in the application, separate from the potentially malware infected operating system. This secure environment is tailored to protect only the most sensitive part of your application, with a minimal impact on your existing solutions.