The number of mobile applications is growing rapidly, and so are the security risks. The TeaBot Remote Access Trojan (RAT), which emerged in early 2021 and was designed to steal victim credentials and SMS messages, remains widespread. Behavioral biometrics is the key to overcoming the challenge of advancing mobile malware.
Over the past decade, the use of mobile devices has grown exponentially. There are approximately 5.3 billion unique mobile phone users worldwide today, more than 90% of whom use the Internet. About 40 apps are installed on every mobile device, with the total number of downloaded apps expected to exceed 250 billion by the end of the year.
As the number of mobile devices and apps increases, the spread of cyberattacks also increases, with criminals increasingly focusing on banking apps. Mobile infiltration methods have become increasingly diverse, complex and have the ability to be upgraded – the TeaBot Trojan RAT is no different. The now-global TeaBot has infiltrated banks, cryptocurrency exchanges, and digital insurance providers, causing damage wherever it is found. Behavioral biometrics, however, provide the key to minimizing its risk.
Social engineering on mobile
For the most part, the attacks start with sophisticated social engineering attacks to trick the user into downloading the malware onto their end device. These Trojans often come in the form of phishing emails, text messages or fake apps.
The Trojan then installs and allows the hacker to collect information as well as load other malware. Remote Access Tools (RATs), for example, allow the criminal to gain administrative access to the device and intercept banking application credentials or even use access codes. unique.
According to our research, 1 in 24 fraud cases involved a RAT attack. HTML overlay attacks are also used to obtain critical data. In most situations, those using a banking app on their smartphone are unaware of these actions.
TeaBot: the chronicle of an attacker
Malware detection has traditionally depended on conventional antivirus technologies that search for suspicious file names and regularly check applications and their hashes for malware. These strategies, on the other hand, have steadily reached their limits in recent years. Indeed, in order to avoid detection by anti-virus software, hackers create malware with a constantly changing file name.
Last year, the TeaBot malware, also known as Anatsa in Germany, made headlines. The malicious code developers attempt to trick their victim into downloading the malware by disguising it as a supposedly harmless application. TeaBot is equipped with RAT functions and is available in several languages. The banking trojan spreads via malicious apps outside the Play Store – under names such as VLC MediaPlayer, UPS and DHL. To spread the malware en masse, hackers use so-called smishing attacks: their victim receives an SMS with a link to the application and uses it to download the Trojan horse. Another distribution method is through fake pop-ups through which TeaBot is downloaded and installed, implementing itself as an Android service and running in the background. This allows it to permanently nest in the end device undetected. After downloading, it acquires broad permissions and instantly starts scanning the apps installed on the device.
The TeaBot Trojan effectively takes control of the user’s mobile device by remotely controlling the victim’s smartphone. It has the ability to read SMS messages and forward them to the command and control server to bypass OTP (one-time password) precautions. It gets access permissions to approve notifications and has logging features, which can disable Google Play Protect and launch overlay attacks. Teabot does this by loading a specially designed login page for the target application from the command and control server. The phishing page is placed on the banking app. Here the user credentials are collected using the keystroke logging and passed to the command and control server controlled by the hacker.
TeaBot primarily targets banking and cryptocurrency apps, but the malware also collects information from other installed apps. It is practically impossible for those affected to delete it. And it can cause a lot of financial damage if a criminal gains access to login and account data and can use it to make transfers.
Behavioral biometrics: mobile malware detection
One way to detect TeaBot is through behavioral biometrics based solutions. Using this technology, banks are able to identify if it is a real user using the device or if the device is being remotely controlled by the malware via RAT. An example of how the malware behaves differently from a real user is browsing speed. When controlling the device, the fraudsters who control the device know the payment process very well and execute the payments quickly to avoid being detected by the victim.
Behavioral biometrics-based technologies compare user behavior with previous customer sessions to determine consistency and intent. The way a user holds their mobile device is also another telltale factor: in fraudulent sessions, the device may remain on the table for the entire session, while a real user moves around with their smartphone. Touch and swipe patterns can also be analyzed and matched. In the case of a RAT attack, no touch zone is usually visible, indicating that the terminal is being remotely controlled. If swiping gestures on the screen are detected in a different place than in previous sessions, this indicates that the real user had no control over the device during the session.
An alert is issued to the bank’s security experts if the technology identifies a number of fraudulent items in combination based on behavioral biometrics. Thanks to behavioral biometrics and machine learning, financial institutions can intervene preventively in a fraud attempt before the customer suffers any financial harm.
About the Author
Gemma Staite is Head of Threat Analytics at BioCatch. BioCatch is the leader in behavioral biometrics that analyzes a user’s physical and cognitive digital behavior online to protect individuals and their assets. Our mission is to unleash the power of behavior and deliver actionable insights to create a digital world where identity, trust and ease seamlessly coexist. Leading financial institutions around the world use BioCatch to fight fraud more effectively, drive digital transformation and accelerate business growth.