Researchers at Trend Micro have discovered a new attack centred around a hole in Android-based two factor authentication systems used by some banks in Austria, Japan, Sweden and Switzerland.
The attack begins in a familiar way – the prospective victim will receive a phishing email that will appear to be from a well-known and reputable site. That message will, however, come with a dodgy link or malicious attachment, either of which will infect the user’s computer with malware.
Once installed, the malware will change the computer’s DNS settings to point to a server under the control of the cyber bad guys whilst installing a rogue SSL root certificate which causes the malicious HTTPS servers to be seen as trusted.
… it self-deletes, thus rendering itself undetectable.
When the user next attempts to access their online bank account they will be redirected to an authentic-looking copy under the cyber criminals control.
Attacks such as this, which attempt to dupe users into entering their credentials on fake banking sites, are relatively common but there is a twist in this instance – after logging in they will be prompted to install an app on their smartphone.
Said Android app is of course malicious, though it appears to be a session token generator for the bank.
Once up and running, the rogue app will intercept genuine SMS messages sent from the real bank to the customer as part of the normal two factor authentication process. This allows the criminals to get not only the user’s login credentials from the fake banking website, but the session tokens too.
Tim ‘TK’ Keanini, CTO at Lancope, thinks such a method of attack could prove highly lucrative because many smartphone owners are unaware of the security implications surrounding their devices:
“This sort of attack is more evolutionary than revolutionary. This is the co-evolution of the defenders raising the bar in one area and the attackers having to modify their tactics to another. This tiny configuration change represents a larger more known strategy by the attacker which is to get ‘in the middle’ of the communication. This is just another way for them to place themselves in the middle where they can gain an advantageous position in the communication channels.
I think most users will fall victim because targeting Smartphones is relatively new and most users consider it to be safe and secure. Attackers will continue to try every access vector to the Smartphone because having a footprint on the Smartphone has many advantages to their attack campaign.
Users need to get much more paranoid about downloads and the general security of their Smartphone.
Early detection is beneficial, but this type of DNS attack is very difficult to detect without the right telemetry. These traffic patterns are incredibly anomalous but the attackers know that no-one is monitoring for this anomaly and thus getting away with it.
This is the reason why it is so effective.”
Keanini also says that mitigation of this type of banking fraud is relatively easy to implement, placing the emphasis on service providers:
“If service providers or organizations monitored the DNS traffic and, through anomaly detection algorithms, detect that certain machines were not using the configured DNS servers, the attack could be detected at its onset, no matter what country was being targeted.”
Michael Sutton, VP of security research, Zscaler, says that the attack, dubbed “Emmental” after the notoriously holey Swiss cheese, highlights issues surrounding the permissions granted to apps:
“This attack highlights a concern that we expressed when revealing recent statistics derived from statically analyzing 75,000 Android apps.
In that research we noted that of apps which request SMS access, 28% request ‘Read SMS’ access. This is a high risk permission to grant as any app with these privileges can read all incoming SMS content as there is no way to restrict a given SMS message to a specific application. Keep in mind that these are stats from the official Google Play store. An attacker wouldn’t even need to sneak a malicious app into Google Play, but could simply market a seemingly legitimate application in the Google Play store but include Read SMS permissions and have a Trojan Horse capable of intercepting two factor authentication schemes leveraging SMS.
iOS does not allow Read SMS permissions for apps. While this limits the capability of apps, as can be seen, it also prevents a potentially serious security threat. Now that malware authors are leveraging such permissions to defeat two factor authentication schemes, Google will have to re-think allowing this level of access.
We have seen that users are all too willing to install apps on smartphones without scrutinizing requested permissions. This is especially the case for Android’s ‘all-or-none’ permission model where users cannot install an app unless all permissions are accepted up front. This differs from Apple’s model whereby an application can first be installed and individual permissions allowed or denied as they are needed, without impacting the overall application.
It should also be noted that in this particular attack, because the Android application is using a legitimate permission – reading SMS messages – this application could just as easily be delivered from the official Google Play store as it isn’t exhibiting clearly malicious behaviour and is unlikely to be rejected during the approval process.”
Sutton also echoes my view, namely that user awareness is key, not only in terms of publicising this particular type of attack, but also in terms of educating smartphone users about app permissions and the potential problems associated with not checking them:
“Awareness is key in alerting users to the threat of an attack such as this, but unfortunately, users will remain the weak link in the security chain regardless of the attention that this attack receives.
Google is in the best position to break this attack by restricting/preventing apps from accessing SMS content.”