On September 24, 2018, the clients of three major Czech banks received a major hit by a mobile malware and have money from their bank accounts stolen. What happened with the QRecorder malware? (updated version)
3. What happened?
• Several clients of the Czech banks reported losing money from their
bank accounts.
• In total, "high tens of thousands" of US dollars were lost.
• About 10 000 user might be affected by the malware.
• The users had their Android smartphone infected with mobile
malware, Eset was the first to report it.
• The police are currently investigating the incident.
5. More info about the malware
• QRecorder: A repackaged app for a phone call recording.
• Distributed via Google Play, which is a regular channel.
• Activated via a remote update in the right moment. Internally, the
"Spy.Banker.AIX" malware core was used.
• Tailor-made for specific banks. It was able to bypass the additional
security measures designed by the banks.
6.
7. What was the principle of this attack?
• The attack was in principle a clever "overlay attack."
• The malware was placing an overlay over the regular banking app. It
requested sensitive information from the user, pretending a regular
mobile app is requesting the info.
• After gathering a sufficient amount of the private information, it
intercepted SMS OTP sent via bank and took full control over the
bank account.
8. What can banks do?
• Invest in App Shielding / RASP technologies to protect their mobile
banking apps from overlay attacks and other sophisticated runtime
attacks. Learn more →
• Be ready and respond fast in the case a similar threat emerges
again.
• Educate customers, though it would not help in this case, the
customers did everything right.
9. What can app users do?
• Uninstall the QReader app, in case they have it on their smartphone!
• Install a mobile anti-virus solution. Learn more →
• Be alert to changes of behavior of their mobile banking app.
• Never enter any credentials intended for the Internet banking into
the mobile banking app or any other system than the Internet
banking.