= Subscriber content; or subscribe now to access all American Banker content.

First Major Mobile Banking Security Threat Hits the U.S.

Is mobile banking safe? It's a question that's been in the back of many people's minds ever since banks introduced apps in 2009. With roughly 102 million Americans using mobile banking, the potential for hackers, phishers and other types of cyberattackers to prey on mobile banking users is vast.

But until last week, no major security event had directly threatened U.S. mobile banking users.

On Wednesday, Kaspersky Lab discovered that a breed of malware targeting mobile devices called Svpeng had made its way from Russia to the U.S. The malware, which targets Android devices, looks for specific mobile banking apps on the phone, then locks the phone and demands money to unlock it.

So begins a mobile banking security moment of truth.

"This is troubling," says Avivah Litan, vice president of Gartner. "Banks cannot cleanse their customers' smartphones and have no control over this type of Trojan. All they can control is customer interactions with their bank applications. Even securing mobile bank applications and strengthening authentication processes for mobile users won't stop this type of Trojan from operating."

Svpeng was first detected last September in Russia, where it was used to steal card data from mobile devices, explains Shirley Inscoe, senior analyst at Aite Group. Some variants detected when users opened a targeted mobile banking app and displayed a fake login screen to capture log-in credentials. A similar technique was used to collect credit card details when users opened Google Play.

The malware recently was discovered in the U.S. and the U.K., with a new behavior pattern.

In the U.S., Svpeng breaks into a mobile device through a social engineering campaign using text messages. "Once the device is infected, it's almost impossible to get it out," says Dmitry Bestuzhev, head of global research and analysis team in Latin America for Kaspersky Lab.

Once it's wormed its way into a device, the malware looks for apps from a specific set of financial institutions: USAA, Citigroup, American Express, Wells Fargo, Bank of America, TD Bank, JPMorgan Chase, BB&T and Regions Bank.

It then locks the screen of the mobile device with a fake FBI penalty notification letter and demands $200 in the form of Green Dot MoneyPak cards. It also displays a photo of the user taken by the phone's front camera. (The malware suggests stores where the user can buy MoneyPak vouchers and provides a data field to type in the voucher numbers.)

For now, Svpeng does not steal mobile or online banking credentials. But it is only a matter of time before it does, according to Kaspersky Lab researchers. The Trojan also contains code that could be used for file encryption; it could, therefore, encrypt files stored on the mobile device and demand money to unencrypt them.

In time, Svpeng may start gathering mobile banking app credentials, which would give it a path to steal money from users' accounts, Inscoe says.

Customers who fall victim to Svpeng can do almost nothing, says Roman Unuchek, senior malware analyst at Kaspersky Lab.

"The only hope for unlocking the device is if it was already rooted before it was infected, then it could be unlocked without deleting the data," he says. If the phone wasn't rooted, the customer might put it in safe mode and erase all data on the phone only, while SIM and SD cards stay untouched and uninfected.

Banks can, of course, monitor transactions for signs of account takeover activity stemming from the mobile malware. "If the Trojans succeed in stealing customer credentials or taking over customer interfaces, the bank needs to detect the activity and prohibit the criminal from accessing or raiding customer accounts," Litan says.

They also need to educate their customers about the threat.

"It is impossible to repel an attack of American Svpeng if a mobile device doesn't have a security solution the malware will block the device completely," says Unuchek. "If I were a bank CIO, I would make sure that customers have proper mobile security in place."

"U.S. banks have done nothing to educate U.S. consumers about malware that targets mobile devices, nor have telecom carriers," adds Aite's Inscoe. "We have been fortunate to date that there have been minimal bank losses from the mobile channel. Svpeng may well change that."

Litan agrees.

"This is surely a sign that mobile malware is on the increase and will become much more prevalent in the next year or two," she says. "I am sure we will see many variations on the same themes we have seen with PC-based applications."


(4) Comments



Comments (4)
Want to learn more? Join us for a breaking news Web seminar on this topic Friday, June 20 at noon ET. http://www.americanbanker.com/webseminars/update-Svpeng-mobile-malware-1068128-1.html]
Posted by rsausner | Tuesday, June 17 2014 at 11:51AM ET
Well written, Penny. It's an interesting story. Here are a few points to consider: one of the largest challenges facing banks and consumers alike (when it comes to malware) is this confusion and lack of clarity and consistency regarding the ultimate objective for the bad guy. You here explain that Svpeng waffles between being a ransomware variant and credential stealer. In both cases, banks find themselves between a rock and a hard place since they have no control over their customers behavior or devices.

To prevent ransomware, preparation is key. That means maintaining regular and complete backups of critical information and the willingness to wipe and restore impacted systems. For malware that steals credentials, banks (and all online businesses for that matter) MUST have a way to detect when those apparently legitimate credentials are being used illegally. How? There are solutions designed to detect when legitimate credentials are being used from a suspect device. That makes the ability to identify the device behind the data critical. For better or worse, by the time malware is detected it's already too late, the focus needs to move beyond detection to mitigating the real risk that malware enables.

-David Britton, Vice President of Industry Solutions at 41st Parameter
Posted by DavidBritton | Monday, June 16 2014 at 1:17PM ET
Good point. The malware targets Android devices.
Posted by pennycrosman | Monday, June 16 2014 at 12:41PM ET
It would be additionally helpful if the article mentioned which mobile operating systems American Svpeng infects... Android, IOS, or both.
Posted by slamecka | Monday, June 16 2014 at 8:28AM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.