Banking trojans. How can they steal your wallet from your smartphone?

Banking trojans are a type of malware that allows criminals to access their victims’ bank accounts and cryptocurrency wallets

How long can you go without looking at your phone? For more than a decade, smartphones have been a staple of our daily lives. From the palm of our hand, we can manage multiple aspects of our personal, professional, or business lives.

We use our phones to perform everyday tasks, such as replying to a work email, sending a WhatsApp message to our partner, paying a supplier’s bill, or purchasing groceries at the supermarket.

As a result, our phones contain a huge amount of personal, professional, and financial information. This makes them a particularly attractive target for cybercriminals.

It should therefore come as no surprise that malicious actors develop malware such as banking trojans to access the bank accounts of companies and citizens and steal their money.

A few days ago, it was revealed that one of the most notorious banking trojans, Anatsa, is already being used to attack citizens and companies in multiple countries and gain access to more than 800 financial applications.

This case highlights the threat posed by malware that seeks to infect our mobile devices in general and banking trojans in particular.

In fact, Google recently removed 77 apps from Google Play that had accumulated 19 million installations and were used to distribute multiple types of malware: adware, spyware, banking trojans, etc.

1. How do banking trojans work?

Anatsa is a prime example of the evolution of banking trojans and their constant refinement. What are the key features of banking trojans?

1. They are distributed through applications that appear to be legitimate. For example, PDF readers, file cleaners, QR code readers, or pirated software. In some cases, these mobile apps are found on Google Play, while in others, users download them from websites that the application developers theoretically own. In addition, it is very common for users to use APK Markets that allow mobile applications to be downloaded without going through the official Google market.
2. Currently, to evade Google’s review process, banking trojans are only downloaded after the decoy apps have been installed. This is possible because these applications connect to the command and control server of the banking trojans. This installation is disguised as an update in the eyes of the user.
3. Techniques are used to avoid analysis and detection by device security mechanisms. This is key to strengthening security on Android systems. For example, to evade security controls, malformed APK files are used to break static analysis and emulation detection.
4. Once the banking trojans are on the victims’ mobile phones, they enable all the security permissions they need to perform actions such as superimposing fake screens on legitimate financial applications, obtaining access credentials to them, intercepting communications between these applications and users, manipulating notifications, receiving and reading SMS messages, taking screenshots, obtaining codes from multi-factor authentication mechanisms, etc.
5. Thanks to the information they can collect, the cybercriminals behind the use of banking trojans can make illegitimate transfers from their victims’ bank accounts or transfer cryptocurrencies from their wallets.

2. What are criminals looking for?

The use of banking trojans such as Anatsa, MMRat, Xenomorph, or Hook has a clear objective: to steal money from companies and citizens through illegitimate access to their banking applications and crypto wallets.

To achieve this, cybercriminals who develop banking trojans have been refining their techniques, tactics, and procedures, as noted above, to:

• Deceive citizens and companies in a context where suspicion is growing and society has become aware of the risks involved in downloading malicious applications.
• Overcome increasingly robust security mechanisms. This allows them to evade detection and remain undetected on infected devices.
• Access victims’ bank accounts, despite the significant increase in protection systems developed by banks in recent years. Banking trojans allow criminals to successfully bypass essential security mechanisms such as multi-factor authentication to enter banking apps or authorize payments.
• Monetize attacks immediately and equip themselves with more resources to continue refining their techniques, tactics, and procedures.

3. Can banking trojans also affect cryptocurrency wallets?

Although banking trojans were originally used to gain illegitimate access to victims’ bank accounts, they have been adapted to facilitate criminals’ access to the wallets of infected device owners.

It is no secret that the cryptocurrency market continues to grow. Cryptocurrencies have become an investment asset for millions of people who manage their assets through wallets and exchanges accessed from their mobile phones.

Banking trojans such as Crocodilus abuse device accessibility permissions to capture information that allows malicious actors to empty their victims’ wallets and take control of their assets.

4. Basic tips to avoid falling victim to banking trojans

Users can and should implement good security practices to avoid falling victim to banking trojans. How?

1. Only download apps from the Play Store and App Store that have been developed by companies you know.
2. Before downloading an app, check user ratings, the number of downloads, and reviews to detect any signs that it may be malicious.
3. Update your mobile operating system to implement all the latest security improvements developed by Android or Apple.
4. Enable security tools such as Google Play Protect or iOS Security Check.
5. Review the security permissions that apps have and limit them to the minimum permissions necessary for them to function properly.
6. Regularly check data, such as data or battery consumption by apps running in the background. If any of these figures are high, malware has likely been installed, and a malicious actor is taking action to steal sensitive data.

5. What companies can do to protect themselves from banking Trojans

If the use of banking trojans against personal mobile devices is dangerous, it is even more so when the infected devices are corporate devices that have financial apps installed.

Nowadays, it is not unusual for a company’s CFO or other senior managers to have banking applications installed on their devices, from which they can manage payments to suppliers or business partners, as well as authorize transactions using a multi-factor authentication system.

Ensuring the protection of these devices is critical for companies, as if they are infected with banking Trojans, criminals could steal large sums of money.

To prevent this, companies can:

• Train and educate their employees about the most sophisticated social engineering techniques and the threats they are exposed to through social engineering tests.
• Continuously audit the security of corporate mobile devices by combining automated tools for detecting and responding to malicious activity with expert analysis.
• Perform ongoing monitoring of mobile phones that have banking apps downloaded to prevent the download of unsafe apps or ensure that security updates are implemented.
• Develop best practice manuals to prevent unsafe actions, such as downloading apps that do not come from trusted developers or allowing an app to have excessive permissions.

6. Google MASA, Google Play Protect, and Developer Verification: The effort to eradicate banking Trojans and other malware from our mobile phones

First of all, we should point out that, although we have focused on banking trojans that target Android mobile phones, we must not lose sight of the fact that there are also banking Trojans designed to infect mobile phones with the iOS operating system, such as GoldPickaxe.

However, indeed, the criminal groups behind the development of banking trojans and other malware have focused primarily on phones that use Android as their operating system.

That is why Google has designed a security strategy to increase the level of protection for devices and users. What are the three main pillars of this strategy?

1. Google MASA. This initiative aims to enhance the security verification of applications available on the Play Store. This verification is based on testing in accordance with OWASP methodologies (MASVS and MASTG), which constitute a global standard in mobile application cybersecurity. In this way, mobile application audits can be used to validate that an app has no weaknesses and complies with security requirements.
2. Google Play Protect. This security tool is integrated into Android operating systems and is used to:
   • Verify apps in the Play Store before downloading them to detect malware.
   • Periodically scan mobile devices for malicious apps that hide, for example, banking Trojans.
   • Send users security alerts about apps that falsify their information or that can obtain security permissions, allowing them to access sensitive information, such as credentials to log into financial apps.
3. Developer Verification. Starting in 2027, companies that develop Android mobile apps, whether or not they upload them to the Play Store, will be required to be registered as verified developers. Otherwise, they cannot be installed on certified Android devices. The aim is to make it more difficult for criminals to spread malicious mobile applications by linking apps to their developers, preventing anonymity, and holding developers accountable for the security of their applications.

In short, banking trojans pose a threat to the financial security of citizens and businesses.

Given the central role that mobile phones play in our lives, cybercriminals have redoubled their efforts to develop techniques, tactics, and procedures that allow them to spy on us or gain access to critical applications such as email apps, cloud document storage, or banking apps.

In the fight against banking trojans and other types of malware, citizens and businesses must act cautiously and surround themselves with all the necessary security measures.