New banking malware intercepts mobile authentication

Just as banks and other organisations are beginning to use mobile devices to authenticate commercial transactions, an IT security company has claimed to have detected the first co-ordinated mobile and desktop malware attack.

According to S21sec, the new variant of the ZeuS trojan first infects the victim’s PC. Then a web application purpoting to be from a bank asks the victim to input their mobile phone number and details of their device. Third, the victim is asked via text message to install an application on to the phone. This application can then be used to intercept any text messages the victim sends.

The reason this would be valuable to a criminal is that certain organisations are preparing to use text messages as a way to authenticate online transactions.

UK online bank Egg, for example, is introducing its mobile authenication service next month. When a customer conducts a transaction online they are sent a confirmation code via text message that they must enter for the transaction to be completed. Using this new attack, criminals could theoretically intercept this text and ‘authenticate’ illegal transactions.

S21sec says that it has found examples of the infection “in the wild” (i.e. in circulation) that affect BlackBerrys and Symbian-based devices. The company says that 10 Spanish banks are being targeted and that the malware is linked to what appears to be UK-based number.

“This is the first ‘in-the-wild’ attack where criminals combine malware both on PCs and mobile devices,” the company said in statement. “It represents an escalation of the technical and social engineering techniques available to cyber-criminals.”

“Although we cannot state that it is a really advanced malicious application, it really works, it is out there in the wild, and the thin line between PC and mobile malware is thinner than ever,” S21sec said.  

“We are working with mobile carriers to help them to detect infected devices,” it added. “Mobile carriers are the key actors in this incident, because they are the only ones that can detect which devices are infected and block all the connections to and from the mobile.”

Earlier this month, web giant Google announced that customers of its online application services will soon be able to protect access to their applications with two-factor authentication, again using text messages sent to users’ mobile phones.

Pete Swabey

Pete Swabey

Pete was Editor of Information Age and head of technology research for Vitesse Media plc from 2005 to 2013, before moving on to be Senior Editor and then Editorial Director at The Economist Intelligence...

Related Topics