Poorly-Secured Banking Apps Spur Additional Threats for Smartphone Users

The increased use of mobile banking apps has opened doors to new cyber threats including data theft. In short, many of these apps are either riddled with security flaws or replaced with fake apps.

Poor source code risks users’ data

  • In a study, Positive Technologies found that 14 banking apps available on both iOS and Android phones - with more than 500,000 downloads - are affected by one or another vulnerability.
  • The three common vulnerabilities found in all of these apps are related to faults in application code, client-server interaction, and implementation of security mechanisms.
  • Another common security weakness includes failing to manage security updates.
  • While vulnerabilities in 13 of the 14 apps could be exploited to gain unauthorized access to user data and launch Man-in-the-Middle attacks, 11 apps allowed unauthorized access to the source code itself.
  • Researchers highlighted that 76% of these vulnerabilities can be exploited without an attacker having physical access to the target device. This can be done by tricking unsuspecting users into clicking on specially-crafted messages or links.
  • The vulnerabilities uncovered in the study can allow attackers to commit frauds, steal funds, and other sensitive information.

Observed additional threats during COVID-19

  • Threat actors are having a field day as the use of mobile banking apps surged due to limited access to banks amidst COVID-19.
  • The FBI revealed that there has been a 50% increase in attacks against mobile banking apps since the beginning of 2020.
  • These attacks were mostly triggered by fake banking apps and banking trojans that lied dormant on a user’s mobile device until a legitimate banking app is downloaded.
  • The ultimate goal of these attacks is to steal the login credentials of banking users. 

What users must also know?

Apart from exploiting coding errors, attackers can also launch attacks by gaining physical access to the device. Rooting (Android) or jailbreaking (iOS) a device, or not setting a PIN code to unlock the phone can give attackers more leverage to conduct malicious actions.

Security tips for users

  • Do not jailbreak or root your device. This opens up access to the device file system and disables data protection mechanisms against malicious app activity.
  • Set a PIN code to unlock your device to limit the access to your phone.
  • Always download apps from official app stores or from authentic bank websites.
  • Enable two-factor authentication on all important accounts and use strong passwords as an additional layer of protection.