304 North Cardinal St.
Dorchester Center, MA 02124
The lack of adequate cyber security and talent shortages in banking could potentially lead to a further increase in cyber attacks on user devices.
As cash transactions become a thing of the past, an increasing number of people’s interactions with their bank or bank accounts are through their smartphones. According to a 2020 Statista survey of five thousand households in 25 Indian states, two-thirds of respondents reported having a smartphone. Half of them said they sent and received money digitally, and about 31% said they had a mobile banking app. Almost 14% said they use their mobile phones for banking purposes. This number has further increased as the COVID-19 pandemic has forced many more people to switch to digital payment methods instead of cash transactions. The convenience and speed of making payments through mobile applications also played a key role in accelerating this trend. This acceleration brings with it a vulnerability: the increased threat of cyberattacks on mobile devices.
Kaspersky’s view of the threat
Global cyber security company Kaspersky is warning of an increase in cyber attacks on Android and iOS devices in Asia Pacific (APAC) as more people in the region switch to mobile banking. According to Kaspersky’s chief malware researcher Suguru Ishimaru, mobile banking trojans are dangerous malware that can steal money from mobile users’ bank accounts by disguising a malicious app as a legitimate app to trick unsuspecting people into installing the malware. (A Trojan horse is malicious code or software that looks legitimate but can take control of your device, including smartphones.)
Speaking at the APAC Cyber Security Weekend conference on Thursday, Mr Ishimaru highlighted two prominent malware campaigns operating in the region targeting smartphone users in several countries.
The Trojans were unleashed
One mobile banking Trojan, called Anubis, has been targeting Android users since 2017, and its global campaigns have hit users in Russia, Turkey, India, China, Colombia, France, Germany, the US, Denmark, and Vietnam. Malware continues to be one of the most common mobile banking Trojans, with one in 10 unique Kaspersky users experiencing the banking malware threat. Offenders infect devices through legitimate-looking and highly-rated malicious apps on Google Play, smishing (phishing messages sent via SMS) and BianLian malware, another mobile banking Trojan, Mr. Ishimaru noted.
Roaming Mantis is another prolific malware targeting mobile banking users. The group attacks Android devices and spreads malicious code by hijacking Domain Name Systems (DNS) through smishing exploits. Kaspersky’s research team has been tracking the malware since 2018; and from the beginning of 2021 to the first half of 2022 alone, they detected almost half a million attacks in the APAC region.
Mr. Ishimaru said that while the threat group is known for targeting Android devices, their recent campaign has shown an interest in iOS users. The group targets users by sending funny texts with a short description and a landing page URL. If the user clicks on the link and opens the landing page, they are redirected to a phishing page. For iOS users, the landing page mimics Apple’s official website; while Android devices download more malware. And once an individual enters their credentials and completes two-factor authentication, the attacker becomes familiar with the user’s device and credentials.
“There is a perception that iOS is a more secure operating system,” Mr. Ishimaru said. “But we [users] have to take two things into account – the growing sophistication of mobile bankers’ social engineering techniques and malware arsenal, and the possibility of human error.”
Interoperability complicates matters
Mobile payment platforms such as Google Pay, PaytM, PhonePe, Square, PayPal and Alipay have benefited from the shift in consumer adoption of mobile banking.
As a result, they have also permanently changed the payment game in their favor. However, these platforms operate in a closed payment world where a Google Pay user can only send money to another bank account through the search giant’s payment platform. This is similar to how Visa and Mastercard work in that they only allow payment transactions to be made within their own networks, not between each other.
According to Accenture’s 2022 banking trends report, this business model could change “in part due to regulators favoring open, standardized platforms that lower barriers to entry.”
Some countries are already forcing payment platform providers to change their business model. China, for example, has ordered its Internet companies to offer its rival’s referral and payment services on its platforms. In India, a new law requires all licensed mobile payment platforms to be able to provide interoperability between wallets. Regulators’ push for payment platform interoperability comes at a time when the demand for technical experts is causing serious concern in the banking industry.
The shortage of technology, engineering, data and security experts that banks need to realize their digital aspirations tends to hide a much wider problem: the appeal of banks as first-time employers of all kinds of talent has faded, the Accenture report adds. The lack of adequate cyber security and talent shortages in banking could potentially lead to a further increase in cyber attacks on user devices. And until this discrepancy is resolved, it’s a good idea to be cautious and as cautious as possible when using a mobile device for payments. In addition to the usual digital hygiene practices, such as keeping the phone up-to-date and regular reboots, consumers can ensure that they only use their phones for banking when the device is connected to a secure VPN. iOS 16 users can turn on Locked Mode as it limits the functionality of the device and protects it from any potential malware.
According to a 2020 Statista survey across 25 Indian states, two-thirds of respondents reported having a smartphone. Half of them said they sent and received money digitally, and about 31% said they had a mobile banking app. Almost 14% said they use their mobile phones for banking purposes.
Global cyber security company Kaspersky is warning of an increase in cyber attacks on Android and iOS devices in the Asia Pacific (APAC) region. One mobile banking trojan, called Anubis, has been targeting Android users since 2017. Roaming Mantis is another prolific malware targeting mobile banking users.
At a time when the demand for technical experts is a serious concern in the banking industry, there is pressure from regulators to make payment platforms interoperable.