Mobile Malware Targeting Financial Institutions and their Clients
Over the past few months you may have heard news reports regarding the threat of new mobile malware targeting banks
and their clients. Traditionally, these threats have been by way of the PC and the online channel. However, given the rise in popularity of mobile banking, criminals have begun paying closer attention to the emerging mobile channel and the opportunities it presents. This is a clear indicator mobile malware is on the rise and will become more prevalent over the next few years. We will likely see some variations on the same themes we have seen with PC-based applications.
Recently, Kaspersky Lab reported its discovery of “Svpeng
”, a new breed of malware targeting mobile devices. While this malware was first detected last year in Russia, it has recently made its way to the U.S. Svpeng
breaks into a mobile device through social engineering and phishing using text message campaigns. The mobile malware, which targets Android devices only
, looks for and targets specific mobile banking apps. The malware has the capability to spoof these legitimate banking apps, steal credentials, and capture sensitive user input. Latest variations now include functionality which enable the malware to take control of the mobile device while demanding ransom, similar to the “ransom ware” threats seen most recently with “GameOver Zeus” and “Cryptolocker”
While we do not have any knowledge of our client applications being targeted by Svpeng
, we recommend that our clients utilize security best practices to proactively mitigate this threat including:
- Utilizing additional controls around the movement of funds (e.g. transaction authorization controls)
- Installing mobile security software to provide device-level protection
- Following safe practices to avoid unnecessary risks, such as installing apps from third-party sites or unreliable sources
- Performing regular backup of data stored in Android devices.
For additional tips on how to protect your mobile device