Presentation on theme: "Jeff Fu Bangcle Security – SecNeo Ltd.. You Probably Already Know About Mobile Banking Threats But you might not know theres an entire illegal industry."— Presentation transcript:
Jeff Fu Bangcle Security – SecNeo Ltd.
You Probably Already Know About Mobile Banking Threats But you might not know theres an entire illegal industry dedicated to mobile banking. Do you know what keys Cybercriminals have? How they steal money from Android App?
2013: 143,211 New malwares 3,905,502 Malicious installation packages Malware Threats on Mobile In total: Approximately 10,000,000 unique malicious installation packages For the 259 new malware families on Q3, 2013
2013 Malware Threats on Android Android remains a prime target for malicious attacks % of all malware detected in 2013 targeted this platform, confirming both the popularity of this mobile OS and the vulnerability of its architecture.
2013 Malware Target Mobile Banking The cyber industry of mobile malware is becoming more focused on making profits more effectively. I.e., mobile phishing, theft of credit card information, money transfers from bank cards to mobile phones and from phones to the criminals e-wallets The number of mobile banking malware 2013 was marked by a rapid rise in the number of Android banking Trojans.
2013 The Geography of Mobile Threats Countries where users face the greatest risk of mobile malware infection (the percentage of all attacked unique users) Country % of all attacked unique users 1Russia40.34% 2India7.90% 3Vietnam3.96% 4Ukraine3.84% 5United Kingdom3.42% 6Germany3.20% 7Kazakhstan2.88% 8USA2.13% 9Malaysia2.12% 10Iran2.01%
Mobile Banking Virus-Svpeng Svpeng detected by Kaspersky as Trojan-SMS.AndroidOS.Svpeng.A Collects phone information Steals voice call SMS messages Steals money from the victims bank account Steals logins and passwords to online banking accounts Steals bank card information (the number, the expiry date, CVC2/CVV2),
My app is good designed, I considered all the potential risks. My app is good programed by senior engineers. My app is completely tested, all the bug is fixed. My app is published to the Google Market. My customers installed the official released Apps. Yes, I believe you have done all what you can do But your App is still in danger
Attack MethodSolution Bypass Integrity protection and verificationNo Steal source code and security logicNo Repacking the App and conducting fraudNo Repacking the App and inserting malware codeNo Bypass the local security controlMove security control to server side Get the symmetric encryption password and decryption local data Use asymmetric encryption
Attack MethodSolution Dynamic memory injection attack to modify transaction informationNo Dynamic components hook attack get account ID, passwordNo UI hijack attack to get user inputNo Keyboard hijack attack to get user inputNo MAN-IN-THE-MOBILE attackNo MAN-IN-THE-MIDDLE attackNo
1.Hacker injected the payment components 2.Hacker intercepted the transaction data before it is encrypted 3.Hacker modified the account ID and user name 4.The money is transferred to hackers account 5.Hacker tamper the invoice message or SMS and changed them back to original transaction account and user name Dynamic injection Demo
Integrity protection failure of Mobile Banking App is the root cause for the most attacks. Static integrity protection failure Dynamic integrity protection failure We need to make sure: 1)The App used by the customers is not tamped and repacked 2)The App is always running the same as designed 3)The information in the App can not be accessed and modified 4)All the security logic can not be bypassed
2013 Financial App Protection Financial App Integrity Protection In past 3 years, Bangcle provides services to: 100+ Financial and e- Payment Apps 500+ Business App developers Our security products covered more than 300,000,000 smart devices The leading App Security Provider in the world Financial App Runtime Protection Financial App Data Protection
Join us to get more detail information about Bangcle Mobile Banking Security Solution