Although most cybersecurity attacks have been levied against laptops and home networks, the rise of the use of smartphones has forced bad actors to get more creative. One recent case of a smartphone malware campaign targets Android users specifically. By stealing contactless credit card payment data, hackers can leverage this information to make purchases. This type of attack is predicated on both social engineering and SMS phishing that directs individuals to domains that impersonate websites and banking applications. The good news is that it does not appear that these actors have managed to leverage legitimate programs; the bad news is that these impersonations look real.
So how does it work? The process is remarkably simple. The attackers send an SMS text that includes a link for an app download that appears legitimate to the recipient. After the victim downloads the app, the hackers phish their banking credentials to access their accounts. Because banks have protocols in place to avoid this kind of attack, the hackers then call the victim pretending to be a bank employee. After informing the victim about the security incident (that they themselves carried out), the victim is then asked to change their PIN code as well as to validate their banking card via a different malicious app. When the victim complies, the hackers have everything they need to drain the victim’s accounts. While, there is no evidence to suggest that these apps were distributed through the Google Play Store, it is important to note that this attack is carried out in two steps because the second malicious app is already banned from the Play Store.
Avoiding this attack is simple, but it does take diligence and discipline. Do not open links from unknown numbers unless you can absolutely verify that the number is from someone you know. Furthermore, if your bank calls you, make certain that they can prove they are a member of your bank: an unknown or non-public number here tends to suggest that the call is fraudulent. Ultimately, this story is an important warning about the rise of cyberattacks. Even when you are using a device other than your computer, you still need to be careful.
