At the Virus Bulletin conference in Prague today, Google’s Sebastian Porst disclosed how the Android security team’s internal task force combated the rise of mobile banking fraud in Russia. In the first quarter of this year Russian smartphone users were under attack by mobile banking malware called Trojans. Kaspersky Labs reported that 86% of mobile banking Trojans were concentrated in Russia. Porst explained how the task force formed last January countered the attack.
Google measures mobile safety and security based on potentially harmful apps (PHA) detected on phones running its Android software. Google runs automated and manual analyses of how apps were written, from whom, and where the apps were submitted to Google’s and other app stores and how the apps behave to identify PHAs. Google’s Android security system, Verify Apps, scans apps at installation recommending that the user not install apps detected to be PHAs. Periodically, Verify Apps also scans all apps on the phone, reporting PHAs it has detected to the user and to Google. The app then recommends the user remove any PHAs it has found.
Russia regularly appears at the top of the list of countries with the most PHAs. On a relative scale, Russian users are ten times more likely to have a PHA installed on their phones compared to the United States, where less than 0.4% of phones are detected to have PHAs.
Using human engineering, thieves persuaded Russian users to ignore Verify Apps warnings, and install malware from external websites. The sites masqueraded as popular, safe apps, like Google Play, Adobe Flash Player and Minecraft. These Trojans contain phishing malware that monitor legitimate banking apps, and the Google Play app, in order to steal financial credentials from the user. With account numbers and passwords in hand, the thieves then make unauthorized transactions. They then confirm the transactions by intercepting text message authorization codes sent from the financial institution to the infected phone. This capability to intercept authorization codes is essential, because banks around the world now use these text codes precisely to prevent fraud.
Last March, in response to the spike in mobile banking attacks, Google dialed up smartphone virus scans with Verify Apps from once a week to once a day in Russia, warning users of the phishing apps, and recommending that users remove them. This led to a huge increase in the number of users who removed the app, after being warned.
In Apr. 2015, Verify Apps then began to remove certain apps confirmed to be banking phishing Trojans. At the same time, Google began blocking confirmed banking Trojan PHAs from installation or reinstallation.
As an independent measure, the task force tracked the number of times that users installed financial phishing Trojan variants that had not yet been identified. The decline measured over the last six months confirmed the task force was able to identify new variants created to evade .
The task force also tracked the declining number of users that ignored warnings represented by the blue line. In the same period the overall incidence of PHAs in Russia declined by half, presumably because more users observed the Verify Apps warnings
A quarter over quarter reduction in banker Trojans of approximately 50% was also reported by Kaspersky Labs in its Q2 2015 IT Threat Evolution Report, confirming Porst’s results. Asked to comment, Kaspersky’s Roman Unuchek, senior malware analyst wrote to Quartz an email: “The group behind the Trojan has targeted users of Russian banks and Google Play since 2013. During 2014 the number of attacks by this Trojan grew steadily, but at the beginning of May 2015 the numbers decreased dramatically, almost to zero. Our solutions have continued to detect this threat in the three months since our last report, but detections are about 5 times lower than May.”
Porst concluded his talk with an explanation of how the new M version of the Android operating system has been hardened against this type of threat. The talk also made clear the indisputable necessity for phone makers to staff a diligent team to continuously fight malware.