First Major Mobile Banking Security Threat Hits the U.S.

Register now

Is mobile banking safe? It's a question that's been in the back of many people's minds ever since banks introduced apps in 2009. With roughly 102 million Americans using mobile banking, the potential for hackers, phishers and other types of cyberattackers to prey on mobile banking users is vast.

But until last week, no major security event had directly threatened U.S. mobile banking users.

On Wednesday, Kaspersky Lab discovered that a breed of malware targeting mobile devices called Svpeng had made its way from Russia to the U.S. The malware, which targets Android devices, looks for specific mobile banking apps on the phone, then locks the phone and demands money to unlock it.

So begins a mobile banking security moment of truth.

"This is troubling," says Avivah Litan, vice president of Gartner. "Banks cannot cleanse their customers' smartphones and have no control over this type of Trojan. All they can control is customer interactions with their bank applications. Even securing mobile bank applications and strengthening authentication processes for mobile users won't stop this type of Trojan from operating."

Svpeng was first detected last September in Russia, where it was used to steal card data from mobile devices, explains Shirley Inscoe, senior analyst at Aite Group. Some variants detected when users opened a targeted mobile banking app and displayed a fake login screen to capture log-in credentials. A similar technique was used to collect credit card details when users opened Google Play.

The malware recently was discovered in the U.S. and the U.K., with a new behavior pattern. 

In the U.S., Svpeng breaks into a mobile device through a social engineering campaign using text messages. "Once the device is infected, it's almost impossible to get it out," says Dmitry Bestuzhev, head of global research and analysis team in Latin America for Kaspersky Lab.

Once it's wormed its way into a device, the malware looks for apps from a specific set of financial institutions: USAA, Citigroup, American Express, Wells Fargo, Bank of America, TD Bank, JPMorgan Chase, BB&T and Regions Bank.

It then locks the screen of the mobile device with a fake FBI penalty notification letter and demands $200 in the form of Green Dot MoneyPak cards. It also displays a photo of the user taken by the phone's front camera. (The malware suggests stores where the user can buy MoneyPak vouchers and provides a data field to type in the voucher numbers.)

For now, Svpeng does not steal mobile or online banking credentials. But it is only a matter of time before it does, according to Kaspersky Lab researchers. The Trojan also contains code that could be used for file encryption; it could, therefore, encrypt files stored on the mobile device and demand money to unencrypt them.

In time, Svpeng may start gathering mobile banking app credentials, which would give it a path to steal money from users' accounts, Inscoe says.

Customers who fall victim to Svpeng can do almost nothing, says Roman Unuchek, senior malware analyst at Kaspersky Lab.

"The only hope for unlocking the device is if it was already rooted before it was infected, then it could be unlocked without deleting the data," he says. If the phone wasn't rooted, the customer might put it in safe mode and erase all data on the phone only, while SIM and SD cards stay untouched and uninfected.

Banks can, of course, monitor transactions for signs of account takeover activity stemming from the mobile malware. "If the Trojans succeed in stealing customer credentials or taking over customer interfaces, the bank needs to detect the activity and prohibit the criminal from accessing or raiding customer accounts," Litan says.

They also need to educate their customers about the threat.

"It is impossible to repel an attack of American Svpeng if a mobile device doesn't have a security solution — the malware will block the device completely," says Unuchek. "If I were a bank CIO, I would make sure that customers have proper mobile security in place."

"U.S. banks have done nothing to educate U.S. consumers about malware that targets mobile devices, nor have telecom carriers," adds Aite's Inscoe. "We have been fortunate to date that there have been minimal bank losses from the mobile channel. Svpeng may well change that."

Litan agrees.

"This is surely a sign that mobile malware is on the increase and will become much more prevalent in the next year or two," she says. "I am sure we will see many variations on the same themes we have seen with PC-based applications."

For reprint and licensing requests for this article, click here.