On September 24, 2018, the clients of three major Czech banks received a major hit by a mobile malware and have money from their bank accounts stolen. What happened with the QRecorder malware?
3. What happened?
• Several clients of the Czech banks reported losing money
from their bank accounts.
• In total, "high tens of thousands" of US dollars were lost.
• The users had their Android smartphone infected with
mobile malware, Eset was the first to report it.
• The police are currently investigating the incident.
5. More info about the malware
• QRecorder: A repackaged app for phone call recording.
• Distributed via Google Play, which is a regular channel.
• Activated via a remote update in the right moment.
Internally, the "Spy.Banker.AIX" malware core was used.
• Tailor-made for specific banks. It was able to bypass the
additional security measures designed by the banks.
6.
7. What was the principle of this attack?
• The attack was in principle a clever "overlay attack."
• The malware was placing an overlay over the regular
banking app. It requested sensitive information from the
user, pretending a regular mobile app is requesting the info.
• After gathering a sufficient amount of the private
information, it intercepted SMS OTP sent via bank and took
full control over the bank account.
8. What can banks do?
• Invest in App Shielding / RASP technologies to protect their
mobile banking apps from overlay attacks and other
sophisticated runtime attacks. Learn more →
• Be ready and respond fast in the case a similar threat
emerges again.
• Educate customers, though it would not help in this case,
the customers did everything right.
9. What can app users do?
• Install a mobile anti-virus solution. Learn more →
• Be alert to changes of behavior of their mobile banking app.
• Never enter any credentials intended for the Internet
banking into the mobile banking app or any other system
than the Internet banking.