Slide 1

Slide 1 text

Live Demo: Compromising Modern Mobile Banking Apps through Hijacking Android Device Compromising Mobile Banking Apps Svetlin Nakov, PhD Co-Founder, Innovation and Inspiration @ Software University (SoftUni) https://nakov.com Software University (SoftUni) – http://softuni.org

Slide 2

Slide 2 text

 Software engineer, trainer, entrepreneur, inspirer, PhD, author of 15+ technical books  3 successful tech educational initiatives (150,000+ students) About Dr. Svetlin Nakov 2

Slide 3

Slide 3 text

 Most modern baking apps are insecure!  Compromised smartphone == hacked mobile banking  Multi-factor authentication from single device == single-factor authentication!  First factor: username + password / PIN  Hacked smartphone provides all its passwords!  Second factor: OTP generator, implemented as mobile app  Controlled remotely by hackers!  Third factor: email or SMS confirmation (also hacked) Modern Banking Apps are Insecure! 3

Slide 4

Slide 4 text

 Physical access to the device  Attackers directly install remote control app / malware  No physical access  Attackers trick the user to install malware  Fake app in the app store / phishing / spoofing / other attack  Remote control the device (100% full access)  Collect credentials (passwords, PIN codes), impersonate the phone owner, perform everything the phone owner can perform Hijacking Android Mobile Phone 4

Slide 5

Slide 5 text

Warning! The following demo is for educational purposes only! Secretly hijacking mobile devices is illegal in most countries!

Slide 6

Slide 6 text

1. Gain a physical access to the mobile device  E.g. Can you take a photo of me … Can I email myself the photo? Hijacking Android Mobile Phone – Example 6

Slide 7

Slide 7 text

2. Install TeamViewer Hos t from the official app store 3. Login in some TeamViewer account 4. Now the device is ready to connect Hijacking Android Mobile Phone – Example 7

Slide 8

Slide 8 text

Alternative: AnyDesk Remote Control 8

Slide 9

Slide 9 text

 AnyDesk allows unattended (silent) access:  Remote clients use password  Sessions are created without confirmation Unattended Access in AnyDesk 9

Slide 10

Slide 10 text

5. Hide app notifications (optionally)  This will make the remote control invisible for the phone owner Hijacking Android Mobile Phone – Example 10

Slide 11

Slide 11 text

Hijacking Android Mobile Phone – Example 11 6. Connect remotely with TeamViewer Remote Control  View the phone's screen and click on it remotely

Slide 12

Slide 12 text

7. Wait for the smartphone owner to unlock the device  Remember the screen lock pattern  Most smartphones use lock screen  Unlocking is done by screen swipe or with pattern or PIN or Hijacking Android Mobile Phone – Example 12

Slide 13

Slide 13 text

Hijacking Android Mobile Phone – Example 13 8. View the saved passwords from the Web browser

Slide 14

Slide 14 text

 In some Android versions, apps may use Display.FLAG_SECURE to prevent screen capturing or recording  This may help only partially!  In Chrome passwords are invisible but can be copied to the clipboard!  Some screen recording apps bypass this "black screen" protection Some Apps Prevent Screen Capturing 14

Slide 15

Slide 15 text

Hijacking Android Mobile Phone – Example 15 9. Install a screen recorder to collect passwords and PIN codes through screencast videos

Slide 16

Slide 16 text

 Wait for the phone owner to login in the online banking  Or use a screen recorder  The username + password will be revealed Watching the Online Banking Passwords 16

Slide 17

Slide 17 text

Hijacking Android Mobile Phone – Example 17 9. Тhe mobile banking credentials can also be taken

Slide 18

Slide 18 text

10. Uninstall TeamViewer Host (hide your tracks, optionally) Hijacking Android Mobile Phone – Example 18

Slide 19

Slide 19 text

 Lock Screen: unsafe PIN  visible; pattern  visible by default  Email, SMS, saved passwords  unsafe (direct access)  Google Authenticator  safe (black screen in new Android)  Revolut  safe (use fingerprint to login)  Wise  safe (use fingerprint to login)  Allianz Bank  unsafe (PIN visible, biometry can be disabled)  Unicredit Bulbank  unsafe (PIN visible, no biometry support)  Postbank  safe (use fingerprint + invisible PIN to login) What is Vulnerable? 19

Slide 20

Slide 20 text

Fixing the Online Banking Security Recommendations and Best Practices

Slide 21

Slide 21 text

 Use hardware OTP generators  Use biometry to unlock the OTP generator (like Revolut, Wise) Fixing the Online Banking Security 21  Use Display.FLAG_SECURE in Android to disable screen capture in sensitive apps

Slide 22

Slide 22 text

 Recommendations for improved mobile device security  Beware of apps you install  avoid suspicious apps  Don't give your phone to anyone (e.g. to kids to play games)  Prefer biometry (fingerprint, face ID) to unlock the screen  iOS is generally more secure than Android  iOS does not support remote control (only remote view)  Use two-factor authentication with 2 separate devices (e.g. laptop + smartphone) Improving the Mobile Device Security 22

Slide 23

Slide 23 text

Questions? https://nakov.com Compromising Mobile Banking Apps