As the public increases its use of mobile banking apps, partially due to increased time at home due to COVID-19, the FBI anticipates cyber actors will exploit these platforms.

According to the FBI and the IC3, US financial technology providers estimate more than 75 percent of Americans used mobile banking in some form in 2019. Studies of US financial data indicate a 50 percent surge in mobile banking since the beginning of 2020. Additionally, studies indicate 36 percent of Americans plan to use mobile tools to conduct banking activities, and 20 percent plan to visit branch locations less often. With city, state, and local governments urging or mandating social distancing, Americans have become more willing to use mobile banking as an alternative to physically visiting branch locations, says the FBI.

Kacey Clark, Threat Researcher at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, "While many bank lobbies are closed and people choose to stay home to avoid coming into contact with COVID-19, it makes sense that banking customers are turning to mobile banking apps to deposit checks, transfer money, and pay bills. With this, cybercriminals are opportunistically leveraging the recently expanded mobile threat landscape."

The FBI expects cyber actors to attempt to exploit new mobile banking customers using a variety of techniques, including app-based banking trojans and fake banking apps.

Chris Hazelton, Director of Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile phishing solutions, notes there are a large number of fake mobile apps, with many targeting the immediate payday by stealing banking credentials. "However, most of these apps do not make it to public app stores. Users are often taken to websites that mirror real sites to download fake apps," he says. "While there are a large number of fake apps, there is also the threat that comes from mobile phishing - directing users to fake websites to download malicious apps or steal credentials directly. 45.5% of Lookout users encountered a mobile phishing attack in the last three months. This is up significantly from 32.5% in the middle of 2019.

Lookout Phishing AI, Hazelton notes, recently discovered a phishing campaign targeting customers via SMS messaging to lure them to fake websites of well-known Canadian and American banks. Lookout also identified more than 200 phishing pages that were part of this campaign, and has notified all banks affected. 

"Almost all users use a case to protect their phones from physical threats, but they should also protect the digital side of their smartphones to protect from malicious apps. They should also install mobile security software to protect their data and identities. Many services are free to use, and can easily be upgraded for even more protections," Hazelton says. 

Clark notes that Digital Shadows has observed multiple impersonation apps, which contain dangerous permissions that can give the app access to highly sensitive information or perform invasive actions on the user’s behalf: read and write SMS, authenticate accounts, capture and collect photos, request authentication tokens, process outgoing calls, read contacts, add or remove accounts, etc.

"In this scenario, users are misled into downloading a fake or impersonating app that uses dangerous permissions," Clark notes. "By using a bank’s brand imagery and details in the app’s description, users commonly ignore an app’s requested permissions because they are keen to trust that their download is legitimate. After the user enters their credentials into the app and attempt to log in, the credentials are harvested, and security codes can be bypassed."

In another scenario, notes Clark, banking trojans can be used as a “dropper” to install malware onto a user’s phone, particularly spyware (aka stalkerware). "Once installed on a device, spyware can remain undetected while managing and accessing everything on a victim’s device including sensitive information such as the target device’s camera and microphone, text messages, passwords, contact lists, stored or typed payment card details, and geo-location," says Clark. "To avoid downloading a malicious app, it is recommended that users visit their bank’s legitimate website to identify the link associated with their official mobile app and download from their phone’s respective app store."