RSA has been made aware of a new malware attack campaign that targets end-users of online banking applications, which could enable fraudulent wire transactions from victims’ accounts. The attack relies on an Android-based SMS hijacker app that has been branded or “skinned” with RSA SecurID branding to make it appear more credible. This attack targets owners of Android-based mobile devices only. To date, Apple devices have not been affected. The attack is carried out as follows:
- Trojan malware is deployed on a victim’s machine.
- When the victim subsequently connects to an online banking application that uses a One Time Password (OTP) to authenticate money transfers, the Trojan displays a recommendation to download a fake RSA SecurID app, which is actually an Android-based SMS hijacker that has been “skinned” with RSA SecurID branding.
- The Trojan prompts the victim for the phone number of their Android mobile device and sends a SMS text to the victim’s device containing a link to download the fake RSA SecurID app (from a site other than the official Google Play store).
- Once the victim has downloaded and installed the fake app, the attacker then initiates a money transfer from the end-user’s account.
- When the online banking application responds by sending an SMS text with the OTP to the user’s mobile device, the malware intercepts the text so the user never sees it.
- The attacker then enters the captured OTP into the application to complete the fraudulent transaction.
It should be noted that RSA has always limited download of RSA mobile apps to official platform app stores to ensure the security and trustworthiness of those apps. In this case, the fact that the app is downloaded from a site other than the Google Play store is a clear indicator that the app is not authentic. RSA’s Anti Fraud Command Center (AFCC) is vigilant in tracking and shutting down rogue RSA mobile app download sites and is working to address this new campaign.
This attack method is not a new concept nor limited in potential scope to RSA customers alone, but it is one that can be stopped at several points with good cybersecurity hygiene. RSA customers (and their customers) can better defend themselves by:
- Never downloading any RSA mobile app from any site other than the device platform’s official store (e.g., Google Play, Apple App Store, etc.).
- Being wary of social engineering-based attacks. In this case, the malware prompts the end-user for a mobile device phone number; information that the bank likely already has.
- Leveraging strong anti-malware detection and remediation solutions such as RSA ECAT or commercial solutions for corporate devices to limit the potential of and damage from Trojan attacks.
- Ensuring your anti-malware/AV software is up-to-date, firewalls are enabled, and devices have not been rooted.
The post was also jointly authored by Kenn Chong, Principal Product Manager – SecurID/Via.