Live Demo: Compromising Modern Mobile Banking Apps through Hijacking Android Device Compromising Mobile Banking Apps Svetlin Nakov, PhD Co-Founder, Innovation and Inspiration @ Software University (SoftUni) https://nakov.com Software University (SoftUni) – http://softuni.org

 Software engineer, trainer, entrepreneur, inspirer, PhD, author of 15+ technical books  3 successful tech educational initiatives (150,000+ students) About Dr. Svetlin Nakov 2

 Most modern baking apps are insecure!  Compromised smartphone == hacked mobile banking  Multi-factor authentication from single device == single-factor authentication!  First factor: username + password / PIN  Hacked smartphone provides all its passwords!  Second factor: OTP generator, implemented as mobile app  Controlled remotely by hackers!  Third factor: email or SMS confirmation (also hacked) Modern Banking Apps are Insecure! 3

 Physical access to the device  Attackers directly install remote control app / malware  No physical access  Attackers trick the user to install malware  Fake app in the app store / phishing / spoofing / other attack  Remote control the device (100% full access)  Collect credentials (passwords, PIN codes), impersonate the phone owner, perform everything the phone owner can perform Hijacking Android Mobile Phone 4

Warning! The following demo is for educational purposes only! Secretly hijacking mobile devices is illegal in most countries!

1. Gain a physical access to the mobile device  E.g. Can you take a photo of me … Can I email myself the photo? Hijacking Android Mobile Phone – Example 6

2. Install TeamViewer Hos t from the official app store 3. Login in some TeamViewer account 4. Now the device is ready to connect Hijacking Android Mobile Phone – Example 7

Alternative: AnyDesk Remote Control 8

 AnyDesk allows unattended (silent) access:  Remote clients use password  Sessions are created without confirmation Unattended Access in AnyDesk 9

5. Hide app notifications (optionally)  This will make the remote control invisible for the phone owner Hijacking Android Mobile Phone – Example 10

Hijacking Android Mobile Phone – Example 11 6. Connect remotely with TeamViewer Remote Control  View the phone's screen and click on it remotely

7. Wait for the smartphone owner to unlock the device  Remember the screen lock pattern  Most smartphones use lock screen  Unlocking is done by screen swipe or with pattern or PIN or Hijacking Android Mobile Phone – Example 12

Hijacking Android Mobile Phone – Example 13 8. View the saved passwords from the Web browser

 In some Android versions, apps may use Display.FLAG_SECURE to prevent screen capturing or recording  This may help only partially!  In Chrome passwords are invisible but can be copied to the clipboard!  Some screen recording apps bypass this "black screen" protection Some Apps Prevent Screen Capturing 14

Hijacking Android Mobile Phone – Example 15 9. Install a screen recorder to collect passwords and PIN codes through screencast videos

 Wait for the phone owner to login in the online banking  Or use a screen recorder  The username + password will be revealed Watching the Online Banking Passwords 16

Hijacking Android Mobile Phone – Example 17 9. Тhe mobile banking credentials can also be taken

10. Uninstall TeamViewer Host (hide your tracks, optionally) Hijacking Android Mobile Phone – Example 18

 Lock Screen: unsafe PIN  visible; pattern  visible by default  Email, SMS, saved passwords  unsafe (direct access)  Google Authenticator  safe (black screen in new Android)  Revolut  safe (use fingerprint to login)  Wise  safe (use fingerprint to login)  Allianz Bank  unsafe (PIN visible, biometry can be disabled)  Unicredit Bulbank  unsafe (PIN visible, no biometry support)  Postbank  safe (use fingerprint + invisible PIN to login) What is Vulnerable? 19

Fixing the Online Banking Security Recommendations and Best Practices

 Use hardware OTP generators  Use biometry to unlock the OTP generator (like Revolut, Wise) Fixing the Online Banking Security 21  Use Display.FLAG_SECURE in Android to disable screen capture in sensitive apps

 Recommendations for improved mobile device security  Beware of apps you install  avoid suspicious apps  Don't give your phone to anyone (e.g. to kids to play games)  Prefer biometry (fingerprint, face ID) to unlock the screen  iOS is generally more secure than Android  iOS does not support remote control (only remote view)  Use two-factor authentication with 2 separate devices (e.g. laptop + smartphone) Improving the Mobile Device Security 22

Questions? https://nakov.com Compromising Mobile Banking Apps