Research on seven Indian banks has shown that their mobile apps may be open to attack from malware and a failure to do regular mobile app security testing.
FireEye’s report tracking digital banking fraud indicates that the mobile apps of these Indian banks were infected with malware that were able to steal user credentials.
Post demonetisation in India digital payments are a visible target for hackers, the problem is compounded due to the national preference for Android devices that are vulnerable to attack and banks failing to regular mobile app security testing.
The research showed that the Indian banking apps were under threat from the Webinjects and Bugat malware.
The Webinjects malware is a variant of the form grabbing technique, it focuses on the browsers functions that encrypt and send data to a browser page. The malware intercepts the data before it is encrypted with SSL to read the HTTP header and steal usernames and passwords. FireEye reported that it was being used to get users download a malicious application.
Bugat became popular after the demise of ZeuS which was used to raid bank accounts, it is being used to steal user data when doing online banking. The stolen credentials are then used to commit wire transfer fraud.
This is a worrying new development given the government’s push for digital banking to gain traction, and there are reports that government backed apps such as BHIM and UPI are vulnerable to security issues, with reports of fraudulent transactions.
In March the state owned Bank of Maharashtra reported 50 cases of fraud on the UPI app with losses amounting to Rs 6.14 crore.
These banks, and the government, need to ensure that their customers are downloading their apps from official sources, test for malware, and run regular mobile app security testing.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.