On-Device Fraud: Mobile Malware's New Playground

The world of mobile malware has reached alarming sophistication, with on-device fraud (ODF) taking center stage. A recent report highlights how cybercriminals are ditching traditional server-based operations in favor of exploiting infected devices directly. This method not only evades detection but also mimics legitimate user actions, making it harder to trace and prevent.

What is On-Device Fraud?

ODF leverages malware installed on a victim's device to intercept communications, manipulate apps, and execute fraudulent transactions. Instead of communicating with external servers, fraud occurs locally, bypassing many of the advanced anti-fraud tools banks and companies rely on.

For example, modern malware families like Hydra and Xenomorph are designed to:

• Bypass Multi-Factor Authentication (MFA): They intercept one-time passwords sent via SMS and take over banking sessions.

• Hijack Legitimate App Activities: Using real-time overlay techniques, malware captures user input to drain accounts or steal sensitive data.

Why the Shift to ODF?

Security innovations like server-side behavioral analytics and robust fraud detection have pushed attackers to innovate. By staying on the user’s device, malware avoids external red flags, blending seamlessly into regular user activity.

Real-Life Consequences

In a high-profile case, a new variant of the BlackRock malware targeted over 400 apps, including popular banking platforms and e-commerce sites. Victims found themselves locked out of accounts, with money siphoned off to untraceable locations.

Hydra, FluBot (aka Cabassous), Cerberus, Octo, and ERMAC accounted for the most active banking trojans based on the number of samples observed.

Accompanying this trend is the continued discovery of new dropper apps on Google Play Store that come under the guise of seemingly innocuous productivity and utility applications to distribute the malware -

• Nano Cleaner (com.casualplay.leadbro)

• QuickScan (com.zynksoftware.docuscanapp)

• Chrome (com.talkleadihr)

• Play Store (com.girltold85)

• Pocket Screencaster (com.cutthousandjs)

• Chrome (com.biyitunixiko.populolo)

• Chrome (Mobile com.xifoforezuma.kebo)

• BAWAG PSK Security (com.qjlpfydjb.bpycogkzm)

What's more, on-device fraud — which refers to a stealthy method of initiating bogus transactions from victims' devices — has made it feasible to use previously stolen credentials to login to banking applications and carry out financial transactions.

To make matters worse, the banking trojans have also been observed constantly updating their capabilities, with Octo devising an improved method to steal credentials from overlay screens even before they are submitted.

"This is done in order to be able to get the credentials even if [the] victim suspected something and closed the overlay without actually pressing the fake 'login' present in the overlay page," the researchers explained.

Protecting Yourself Against ODF

For users:

1. Avoid downloading apps from unverified sources.

2. Update your device regularly to patch vulnerabilities.

3. Use hardware tokens or app-based authenticators instead of SMS for MFA.

   
   

For organizations:

• Implement runtime application self-protection (RASP).

• Use machine learning to monitor and detect unusual patterns of app usage.

It's recommended that users stick to downloading apps from the Google Play Store, avoid granting unusual permissions to apps that have no purpose asking for them (e.g., a calculator app asking to access contact lists), and watch out for any phishing attempts aimed at installing rogue apps.

ODF’s rise is a stark reminder that cybersecurity must evolve alongside threats. By staying informed and adopting proactive measures, both users and organizations can outpace these cunning schemes.