Hackers Exploiting Vulnerabilities of Mobile Banking Apps: How Does It Work?

A mobile banking app is a kind a mediator between a user and an automated banking system. When transactions are carried out on a mobile banking app, they are transmitted to the bank's server and processed by the relevant payment systems, with the user being notified once the action is completed. Online banking works the same way. To steal money, a cybercriminal thus needs to figure out how to interfere in this process.

The risk of an app being compromised depends on whether a bank properly adopts secure software development since a finished mobile app is the last line of defense.

Any exploitation of mobile banking app vulnerabilities goes through two stages:

Firstly, hackers find a vulnerability and create a payment instruction. For instance, any Android application is an .apk file which can be viewed and analyzed for vulnerabilities. Once an intruder finds an app code vulnerability, the easiest way to exploit it on the user's device is to disseminate a Trojan virus written specifically for mobile banking apps. Such attacks targeted at certain mobile banking services are popular with cybercriminals. If a Trojan virus ends up in the device, it is just a matter of time before an intruder will manage to send a transaction request to the bank's server. This is a bit more difficult with iOS apps as Apple encrypts all.ipa files underlying its applications. Such a file is decrypted only in smartphone memory, meaning that extracting it requires more sophisticated technical skills.

Secondly, cybercriminals look to prevent users from noticing that their finances are being interfered with by someone else. If the user is informed by push notifications, they can also be compromised along with the app. Many banking services use push notifications by default to avoid having to send an SMS. If the user opts for SMS notifications, hacking becomes more complicated. In order to hide SMS notifications, the attacker needs to equip malware with functionality that can either modify online banking account settings or hack the smartphone manufacturer’s SMS application. However, in both cases, the cyberattack will take much more effort.

Therefore, to protect their mobile banking operations, users should make sure their devices are not infected by Trojans or other malware. It's important to remember that software and files should not be installed from unreliable sources, which may host malware as well. In addition, URLs and attachments received from unknown senders should not be opened.

Many Android smartphones now have an encrypted secure folder, where all sensitive apps should ideally be installed. Android users are not recommended to carry out Rooting, although many mobile banking apps track if the smartphone is rooted. In this case, the app will either malfunction or operate in reading mode, prohibiting any transactions. At the same time, iOS users should not opt for jailbreaking. Regardless of your OS, it’s better to use SMS notifications since smartphones are present in areas covered by cellular networks more often than in internet zones.

In cases where large amounts of money are kept in a bank account, users can opt to prevent transactions exceeding a certain sum without physical approval.

While some bank clients also buy insurance, in the case of a cyberattack and theft of funds, it is often very difficult to prove who is at fault. It is thus necessary to study the agreement to figure out if the incident is covered by insurance and how much money the bank should return.