By Tony Anscombe, Chief Security Evangelist at ESET
The rise of mobile banking and financial management apps has changed how businesses and customers interact. The intent: offering increased convenience and efficiency. However, this shift has also opened new doors for cybercriminals, particularly on the Android platform, which dominates the global smartphone market. According to the ESET Threat Report H2 2024 , Android financial threats, targeting banking apps as well as cryptocurrency wallets, grew by 20% compared to the previous period. Why target small business’ finances?
Small businesses, often limited in resources and expertise, are increasingly vulnerable to sophisticated financial cyberattacks. Businesses like accounting and payroll services that manage client payments or process sensitive transactions are particularly at risk, as a single breach can cost customer trust and have long-lasting repercussions, including financial ones.
There are extremely sophisticated threats that can sometimes circumvent what may be considered secure processes and practices. For example, the infostealer known as Lumma Stealer, offers cybercriminals the opportunity to collect, in real-time, the SMS one-time passcodes sent by a financial organization. The risk is caused when SMS code sharing browser extensions are being utilized, typically used where financial credentials are shared by several employees the web extension centralizes the one-time code and then distributes it to each of the registered web extension users. For more details on the prevalence and rise of Lumma Stealer see the ESET Threat Report H2 2024.
Understanding the emerging threats and implementing proactive measures to protect both customers and business operations has become more critical than ever, especially considering some of the discoveries made by ESET Research.
Alarming trends
ESET Research has revealed an alarming trend around Android-targeted financial threats. Attackers are leveraging Progressive Web Apps (PWAs) and Web Android Package Kits (WebAPKs) to create malicious applications that can bypass traditional app store vetting processes and security warnings.
The mechanics of these attacks are sophisticated yet deceptively simple. Victims are typically lured in through phishing campaigns that exploit various communication channels, including SMS, automated calls, and social media advertisements. In all cases, victims are given a push, urging them to click on a malicious link.
By clicking on the provided link, the users are redirected to phishing websites that closely mimic official banking app sites, offering downloads for PWA/WebAPKs. PWAs are essentially websites bundled into what feels like a standalone application, using native system prompts. They are basically shortcuts to websites offering almost app-level interaction to the users. The same is true for Web Android Package Kits (WebAPKs), but they are packaged as APKs (native apps) for deeper integration with the Android system. In essence, WebAPKs are upgraded PWAs.
Once installed these apps function as fake banking interfaces, obtaining sensitive data by phishing or other means that is then transmitted to attackers. Insidiously, installing such an app does not warn the victim about “installing unknown apps”, unlike with regular third-party APKs, making the deception even harder to recognize for regular users. On Android, these phishing WebAPKs even appear to have been installed from the Google Play store.
The threat from apps that ultimately impersonate a legitimate app to steal login credentials and gather personal information should not be underestimated. While the attack may be on the customer of a niche smaller business, such as the user of a wealth management app, the result will damage trust. The association of the brand with cyberattacks of any type will have a negative brand connotation.
A multi-layered approach to threat protection
For the businesses (such as banks) offering legitimate versions of the above-described apps, there can be substantial ramifications for having their brand and business..
Hence, providing apps that offer security measures that protect against these, or make the legitimate one hard to impersonate, requires a comprehensive strategy. Businesses need to innovate a variety of proactive measures to protect against malicious apps duping their customers, including:
- Multi-factor authentication, whichsignificantly reduces the risk of unauthorized access by requiring multiple verification methods. This approach combines something the user knows (e.g., a password), something they have (e.g., a smartphone or security token), and something they are (e.g., biometric data such as fingerprints or facial recognition).
- Consider usage of dynamic data encryption keys to mitigate the human risk element in cybersecurity. These data keys are uniquely generated for every transaction and change frequently making it harder for attackers to abuse stolen credentials.
- Regular security audits should help identify and address vulnerabilities before attackers can exploit them.
- Adopting stringent coding standards and conducting regular code reviews to minimize the risk of security gaps in app updates.
- Regular cybersecurity awareness training sessions for both staff and customers. Keeping staff informed about emerging cyber threats and best practices for handling them is essential, as is educating customers on how to identify fake vs. real apps and how to adopt a good personal cybersecurity posture. Consider making the education engaging and fun, maybe even a gamified approach.
- Deploy Artificial Intelligence which can detect unusual logins, transactions, and changes in the user account based on previous analysis of user behavior patterns.
- Cloud security enhancements, which leverage automatic updates and scalability to strengthen defenses while reducing reliance on physical servers.
- Blockchain security applications, offering immutable and encrypted transaction records for additional protection against data breaches.
For all these actions, simplicity is key. User-friendly security measures, such as biometric authentication or password managers, should be intuitive and easy to use, encouraging businesses and their employees to adopt and maintain these practices long-term.
How to protect customers
At a time where convenience often comes with hidden risks, small businesses have an opportunity to differentiate themselves by demonstrating a commitment to security. This not only protects their operations but also builds customer loyalty in a competitive marketplace.
Educating customers is a vital step. Businesses can empower customers by highlighting their own security efforts, like two-factor authentication and secure transactions. By making security part of their brand identity and providing supportive resources, SMBs can create a safe, confident experience for their customers. The business may even take the proactive step of partnering with a mobile cybersecurity company to provide their customers with advanced protection either at an advantageous price or as part of a subscription to their own service.
Strengthening internal security measures is equally important though. Small businesses should consider educating employees on the risk and implementing mobile threat detection solutions capable of identifying and neutralizing malicious PWAs and WebAPKs. They should also collaborate with financial partners, sharing intelligence on emerging threats and developing coordinated incident response plans to address attacks, either on themselves or their customers, quickly and effectively.
Cyberattacks may continue to grow in sophistication, but with the right tools and strategies, businesses and their customers can stay one step ahead. By staying informed about emerging threats, investing in robust security measures, and fostering collaboration with industry partners, small businesses can ensure their customers’ safety.
