Banking Malware & Attack Vectors Outlook For 2020 (Part 2)

21.7.2020 Research

In the previous part of this article, we covered different banking malware families and the most common ways, how you might get infected by malware and what are the consequences.

Let’s look briefly into the techniques of how the attacker smuggles the malicious content on your computer. We’ve added the information to the end of every chapter on how to prevent each technique.

Desktop Malware Coming from Spam/Phishing e-mail

Excel File With Macros

Microsoft Office applications, specifically Word and Excel, feature powerful macro languages, and macro is still a popular method for malware delivery. These days macros are disabled in applications by default. Malware author must convince the user to enable the macros, so the malware gets executed. An infected file is usually delivered by an e-mail, and it can also be inside a ZIP file.

Prevention: Think twice before opening any files, verify any suspicious e-mail with the sender via a different channel than e-mail (e.g., on the phone).

EXE File Masquerading Itself With Different Extension In Its Name

The file extension is usually hidden to the user. Yet, the attacker tries to persuade the user that he is opening an Office file by adding the office extension in the file name. The name appears, for example, as Invoice.xlsx while “exe” stays hidden, but the entire file name is actually Invoice.xlsx.exe, and the malware gets executed when a user opens it.

Prevention: Check the file properties before opening, verify e-mail with the sender via different channels than e-mail; upload the file to online free malware scanners if unsure/impossible to verify.

Visiting pages where Flash with vulnerabilities is loaded, Flash opens Win PowerShell and executes code (file-less malware attack)

Attackers try to exploit potential software vulnerabilities to take control of the affected system. A malicious software is loaded by the user in Flash. The player enables the attacker to exploit these vulnerabilities.

Prevention: Always update Flash Player and other software to the most current version.

Malware Code Execution via Webinjection Technique

Webinjects are usually used for stealing sensitive data, such as a cookie/session (man-in-the-middle attack) or for transaction tampering.

We might encounter malware masking as a browser addon/extension, or desktop application injects code in the website to execute malicious JavaScript code.

Prevention: Install only trusted software from trusted sources and check reviews before installation.

Website clickjacking

Tricking users into clicking on the website element — which is disguised as another, using transparent or concealed layers is another way how you can get malware to your computer. The user simply clicks on a seemingly harmless popup, but malware is downloaded instead.

Prevention: Mostly done in website configuration. Users can install browser addon preventing clickjacking.

Other file-less malware

File-less malware is leveraging trusted processes such as PowerShell (Ramnit Trojan), Microsoft Office Macros (Ursnif) WMI. The malicious code present in already installed legitimate desktop applications (web browser) or mobile app (usually to spy on users)

Prevention: Difficult. Understanding the environment of your devices and operating system plays a significant role.

Mobile malware tricks

As said before, malware often misuses app permissions and tricks  users into granting them. Examples of such permissions are:


Attackers use an overlay technique to render an extra layer on top of other apps. Overlays can intercept user input that is intended for the underlying app and capture sensitive data.

Red boxes indicate overlay layers intercepting inputs

Prevention: Look closely at what apps have SYSTEM_ALERT_WINDOW permission enabled. This permission (if enabled) allows the malware to draw overlays. This attack can be combined with a clickjacking attack on apps. This attack, also known as a “UI redressing” is an interface-based attack in which the malware overlays a window on top of a legitimate application. It then asks the user to click in certain places in the overlay, while at the same time propagating the user’s actions to the application below the overlay. This way, the malware can trick the user into almost any activity, while the user remains unaware of what is actually going on below the overlay.

SMS Stealing

If malware requests access to SMS messaging, and user grants it, it might lead to leakage of OTP (one-time-password). Malware can forward this password to to the attacker using HTTP or directly by re-sending all received SMS. Prevention: Suspicious permissions are namely READ_SMS, RECEIVE_SMS, SEND_SMS.

Figure 2 – Stealing SMS Attack Vector

Accessibility Abuse

It is a part of the Android operation system. It allows people with disabilities to use their phones without obstacles. Malware of the Anubis family (described in the Part 1 of this article) serves as a perfect example of the Accessibility Abuse attack. When the malware succeeds in receiving the accessibility service permission, it can grant itself any further permission it wants and gain access to OTP/2FA, as we described earlier on our blog.

Prevention: Watch out for BIND_ACCESSIBILITY_SERVICE.

Abusing Android’s Multitasking System

An example of abusing multitasking is StrandHogg vulnerability. The vulnerability makes it possible for a malicious app to ask for permission while pretending to be a legitimate application. For example, this means the malware can ask for permission to read SMS messages when the victim opens the legitimate SMS application.

Keylogging Apps

Applications using this keylogging are usually combining phishing techniques with the extra ability to misuse permissions (overlay/SMS) rights to make a payment transaction on the user’s behalf.

Trojanization of App

Probably the rarest attack listed. These consist of legitimate apps that, after an update, serve as malware droppers – they install additional apps to the device, which can be malicious.


Without any doubt, we will increasingly hear more about mobile attacks. The mobile platform is becoming the primary banking tool for most. Attackers are logically targeting mobile apps exploiting new ways how to fool users. Nowadays, with the usage of sophisticated methods emerging every day, even trained and security-aware users might be tricked and eventually robbed.

ThreatMark’s solution is designed with Layered security in mind, as described by Gartner. ThreatMark’s AFS provides a holistic view across all channels, an only way which can reveal sophisticated types of online fraud.

Contact ThreatMark to find out more about our philosophy and let us describe why our customers report massive improvement in cyber-threat detection capabilities.

Lukáš Jakubíček
Lukáš Jakubíček  

Pre-Sales Consultant

Working for ThreatMark allows me to use my diverse set of technical and interpersonal skills I have developed for over 10 years working in the IT & Online Marketing Industry. Writing about cyber threats is only one of my duties, most of the time my colleagues and I assist and help our clients to find new and better ways on how to efficiently fight against the online fraud.

Connect me on LinkedIn Send me an e-mail

Luca Winter
Luca Winter  

SOC Analyst

As members of the SOC team, it is our responsibility to make sure our clients’ customers are well protected against various cyberthreats. Taking down malicious websites, analyzing malware, fighting against ongoing attacks - those are all things that keep us busy. Aside from responding to these threats, we also develop tools that aim to detect new threats as soon as they surface online. We’re always trying to be one step ahead of the malicious actors, which means coming up with innovative ways of trying to catch them.

Connect me on LinkedIn Send me an e-mail