Live Demo: Compromising Modern Mobile
Banking Apps through Hijacking Android Device
Compromising Mobile Banking
Apps
Svetlin Nakov, PhD
Co-Founder, Innovation and
Inspiration
@ Software University (SoftUni)
https://nakov.com
Software University (SoftUni) – http://softuni.org
Slide 2
Slide 2 text
Software engineer, trainer, entrepreneur,
inspirer, PhD, author of 15+ technical books
3 successful tech educational initiatives (150,000+
students)
About Dr. Svetlin Nakov
2
Slide 3
Slide 3 text
Most modern baking apps are insecure!
Compromised smartphone == hacked mobile banking
Multi-factor authentication from single device
== single-factor authentication!
First factor: username + password / PIN
Hacked smartphone provides all its passwords!
Second factor: OTP generator, implemented as mobile app
Controlled remotely by hackers!
Third factor: email or SMS confirmation (also hacked)
Modern Banking Apps are
Insecure!
3
Slide 4
Slide 4 text
Physical access to the device
Attackers directly install remote control app / malware
No physical access
Attackers trick the user to install malware
Fake app in the app store / phishing / spoofing / other attack
Remote control the device (100% full access)
Collect credentials (passwords, PIN codes), impersonate the
phone owner, perform everything the phone owner can perform
Hijacking Android Mobile Phone
4
Slide 5
Slide 5 text
Warning!
The following demo is for
educational purposes
only!
Secretly hijacking mobile
devices is illegal in most
countries!
Slide 6
Slide 6 text
1. Gain a physical access to the mobile device
E.g. Can you take a photo of me … Can I email myself the
photo?
Hijacking Android Mobile Phone – Example
6
Slide 7
Slide 7 text
2. Install
TeamViewer Hos
t
from the official
app store
3. Login in some
TeamViewer
account
4. Now the device is
ready to connect
Hijacking Android Mobile Phone – Example
7
Slide 8
Slide 8 text
Alternative: AnyDesk Remote
Control
8
Slide 9
Slide 9 text
AnyDesk allows unattended (silent)
access:
Remote clients use password
Sessions are created without
confirmation
Unattended Access in AnyDesk
9
Slide 10
Slide 10 text
5. Hide app
notifications
(optionally)
This will make the
remote control
invisible for the
phone owner
Hijacking Android Mobile Phone – Example
10
Slide 11
Slide 11 text
Hijacking Android Mobile Phone – Example
11
6. Connect
remotely with
TeamViewer
Remote Control
View the
phone's screen
and click on it
remotely
Slide 12
Slide 12 text
7. Wait for the smartphone owner to
unlock the device
Remember the screen lock
pattern
Most smartphones use lock
screen
Unlocking is done by screen
swipe or with pattern or PIN or
Hijacking Android Mobile Phone – Example
12
Slide 13
Slide 13 text
Hijacking Android Mobile Phone – Example
13
8. View the saved passwords from the Web browser
Slide 14
Slide 14 text
In some Android versions, apps may
use Display.FLAG_SECURE to
prevent screen capturing or recording
This may help only partially!
In Chrome passwords are invisible but
can be copied to the clipboard!
Some screen recording apps bypass
this "black screen" protection
Some Apps Prevent Screen
Capturing
14
Slide 15
Slide 15 text
Hijacking Android Mobile Phone – Example
15
9. Install a screen recorder to collect passwords and PIN
codes through screencast videos
Slide 16
Slide 16 text
Wait for the phone owner
to login in the online
banking
Or use a screen
recorder
The username + password
will be revealed
Watching the Online Banking
Passwords
16
Slide 17
Slide 17 text
Hijacking Android Mobile Phone – Example
17
9. Тhe mobile banking credentials can also be taken
Slide 18
Slide 18 text
10. Uninstall TeamViewer Host (hide your tracks, optionally)
Hijacking Android Mobile Phone – Example
18
Slide 19
Slide 19 text
Lock Screen: unsafe PIN visible; pattern visible by default
Email, SMS, saved passwords unsafe (direct access)
Google Authenticator safe (black screen in new Android)
Revolut safe (use fingerprint to login)
Wise safe (use fingerprint to login)
Allianz Bank unsafe (PIN visible, biometry can be disabled)
Unicredit Bulbank unsafe (PIN visible, no biometry support)
Postbank safe (use fingerprint + invisible PIN to login)
What is Vulnerable?
19
Slide 20
Slide 20 text
Fixing the Online Banking
Security
Recommendations and Best Practices
Slide 21
Slide 21 text
Use hardware OTP generators
Use biometry to unlock the OTP generator (like Revolut,
Wise)
Fixing the Online Banking Security
21
Use Display.FLAG_SECURE in
Android to disable screen capture in
sensitive apps
Slide 22
Slide 22 text
Recommendations for improved mobile device security
Beware of apps you install avoid suspicious apps
Don't give your phone to anyone (e.g. to kids to play
games)
Prefer biometry (fingerprint, face ID) to unlock the screen
iOS is generally more secure than Android
iOS does not support remote control (only remote view)
Use two-factor authentication with 2 separate devices
(e.g. laptop + smartphone)
Improving the Mobile Device Security
22
Slide 23
Slide 23 text
Questions?
https://nakov.com
Compromising Mobile Banking Apps