Banking malware continued to plague the Android platform throughout 2018, with cybercrooks relentlessly targeting users with banking Trojans and fake banking apps, but also experimenting with new money-stealing techniques.

To help users navigate the tricky and expanding landscape of Android threats, Lukáš Štefanko, a malware researcher at ESET, sheds light on the most prevalent types, tactics and techniques of today’s Android banking malware in his white paper, “Android banking malware: Sophisticated Trojans vs. Fake banking apps”.

We sat down with Lukáš and asked him a few questions about his latest publication.

What made you focus on this topic in such detail?

I deal almost daily with malicious apps going after Android users’ banking credentials. They use many different tricks, techniques and distribution methods, but can ultimately be divided into two broad groups – as the title of the white paper suggests. The distinction might not be so clear to regular Android users, so I wanted to address that.

So, sophisticated banking Trojans and fake banking apps. Why is it important for a regular user to be familiar with the difference?

If users know what they’re up against, I believe they have a better chance of staying safe. The two categories might seek the same goal – stealing credentials for, or money from, their victims’ bank accounts – but their strategies for achieving that goal are very different. And that means that the ways to prevent or remove threats will also be different for each category.

Please explain the differing strategies to someone new to the topic?

Banking Trojans are devious – they try to make users install them by pretending they are something fun or useful, but definitely totally harmless. Think games, battery managers and power boosters, weather apps, video players, and so on. They try to keep users in the dark while they collect the rights and permissions needed for their grand finale. Then, when users least expect it, they slide a fake login screen over a legitimate banking app and steal the entered data. Victims might not be aware of anything happening until they find out that money has disappeared from their accounts.

Fake banking apps are much simpler – they go all in trying to convince users they are legitimate banking apps. Once installed and launched, they lead with a login form, just like a real banking app would. And, as you probably already guessed, the credentials submitted into the form are harvested. Victims usually realize immediately what happened as the app reveals itself by having no further banking app functionality.

What are the chances of users falling for a fake banking app?

I’d say the chances are lower than with banking Trojans, but nowadays some apps can look pretty trustworthy despite being fake. What’s maybe more important than how many users install malware is how many of them actually fall victim – and the odds are high with fake banking apps. This is because users install those apps believing they are installing an actual banking app, which makes them willing to enter their credentials upon seeing a login screen.

Is one of these categories considered more dangerous than the other?

From the technical point of view, yes – banking Trojans are more robust and increasingly hybrid-like. That means their capabilities go beyond just phishing for banking credentials, they could for example have some spying functions or ransomware-like capabilities. But if we’re talking about the danger of getting one’s banking credentials stolen, I think fake banking apps are just as dangerous.

What advice would you pick out of your white paper as most useful?

I see three main principles in steering clear of Android banking malware.

First, stay away from unofficial app stores, if possible, and always keep “installation of apps from unknown sources” disabled on your device.

Second, pay close attention to the app’s reputation on Google Play, and continue paying attention to its behavior after it’s installed. Negative reviews and permissions that aren’t connected to the app’s function are the biggest red flags.

And finally, only ever download banking and other finance apps if they are linked on the official website of the bank or financial service.

Actually, this approach – specifically looking for apps you need rather than installing apps you “happen to stumble upon” – may be the way to avoid malware altogether.

Lukáš Štefanko will provide an overview of the latest Android malware and also discuss poorly secured legitimate apps focused solely on ad revenue at Mobile World Congress (MWC) – taking place February 25 – 28, 2018 in Barcelona.