The term banking Trojan indicates a category of malware that aims to steal the banking credentials of victims and carry out online fraud, usually causing significant economic damage.
Dridex: what and what are banking Trojans
Dridex is a malware of this family and, as a banking Trojan, is typically used to make large financial gains for digital criminals.
Dridex was created in 2015 from the source code of the Bugat banking Trojan, also known as Cridex, but several variations have been around since then.
The authors of Dridex, “Evil Corp“, are part of a Russian cyber gang that appears to lead a rather lavish lifestyle, even evading law enforcement controls.
Although Dridex’s primary goal is to steal banking information from victims, cybercriminals have continuously updated it over the past decade, so much so that since 2020 it has also been used to send ransomware capable of maximizing the profits of its users.
Due to Dridex, careless or inattentive users can face illicit credit card charges, transfers from corporate accounts, and even corporate data breaches that can compromise a company’s entire network and customer base.
The compromise of personal data could instead lead attackers to perpetrate identity theft and fraud of various kinds.
Banking Trojans bypass two-factor authentication
One-time SMS passwords, alone, are not enough to reliably protect your mobile bank from attacks by banking Trojans.
Two-factor authentication via SMS is widely used by banking institutions.
Of course, this measure works better than a simple password, but it’s not impenetrable.
Already 10 years ago, security experts discovered how it can be circumvented, when this security measure was just gaining popularity.
The same goes for malware creators. That’s why banking Trojan developers easily crack single-use SMS passwords.
Method of attack
Here’s how it works:
1. a user opens an official banking app on his smartphone;
2. a Trojan detects which app is being used and superimposes a fake copy on its interface (the fraudulent screen is the same as the real one);
3. the victim enters the login credentials in the fake app;
4. the criminals request a financial transaction on their account;
5. the Trojan sends the user’s credentials to the criminals, who use them to log into the user’s real banking app;
6. the victim’s phone receives an SMS with the one-time password;
7. the Trojan extracts the password from the SMS and sends it to cybercriminals;
8. also hides the SMS from the user, so that the victim is not aware of the operations in progress until his current account and transactions are under control;
9. Criminals use the intercepted password to confirm the transaction and receive the victim’s money.
Banking Trojans adaptability
It is an exaggeration to say that every modern banking Trojan knows how to bypass two-factor authentication systems with SMS.
Indeed, malware creators have no other choice: as all banks resort to this security measure, Trojans have to be adapted.
Tons of illegal apps can do this. In the last few months, Kaspersky experts have published three detailed reports dedicated to three different malware families.
Asacub: a spying app that evolved into a Trojan and learned how to steal money from mobile banks.
Acecard: a very powerful Trojan capable of overlapping the interfaces of nearly 30 different banking apps. By the way, now mobile malware is dominating this trend: at first, Trojans targeted an app from a certain bank or payment service, but now they manage to fake many apps at the same time.
Banloader: a cross-platform Brazilian origin Trojan, capable of infiltrating PCs and mobile devices simultaneously.
How to protect yourself?
From what we have seen, two-factor authentication is not able to 100% protect from mobile banking Trojans.
However, the situation is not improving. That is why additional security measures are needed today.
The basic rule, useful but not foolproof, is to install apps only from official stores.
The point is that there have been enough instances where Trojans have succeeded with the Play Store or even the App Store.
That is why the most reliable solution is to install a good antivirus on the mobile.
As always in this kind of scam, the main advice is not to trust suspicious emails and not to open their content.
CSIRT Italia, in these cases, suggests to “scrupulously check the e-mails received and disable the macros or limit their connections to the internet, be wary of attachments that invite you to perform actions such as enabling the contents or having a password.
Periodic organization of training sessions to teach you how to recognize phishing emails is also strongly recommended.