Revive Mobile Malware Analysis: How to Protect Your App
Since the COVID-19 pandemic, adoption of mobile devices for remote banking services dramatically increased. While using smartphones for mobile banking creates an excellent customer experience, it also attracts the attention of cybercriminals, fraudsters, and hackers who have ramped up attacks on the mobile channels.
Recently, our colleagues from Cleafy TIR team discovered new Android malware called Revive. This malware is targeted specifically against a top-tier bank with a huge presence in Europe and Latin America. Revive stayed undetected by traditional anti-virus solutions for at least one week until discovered by Cleafy on 15th of June 2022 and even today stays undetected by the majority of anti-virus tools.
In this blog, we’ll break down the Revive malware, explain how it targets mobile banking apps, and explore ways to protect your environment from this and similar threats.
Revive: Android Malware Analysis
The Revive malware does not target iOS. It is based on “open-source” spyware Teardroid (publicly available on GitHub) and operates on many of the same principles and strategies that define other mobile malware. Revive itself was developed with the goal of performing account takeover (ATO) attacks by utilizing built-in Accessibility Services used in Android devices.
With the goal of ATO, Revive uses multiple strategies to glean the sensitive information it needs to infiltrate an account. This malicious application has been observed doing the following:
- Intercepting all messages received from infected devices, with the aim of obtaining the two-factor authentication (2FA) code sent by the bank to the user via SMS.
- Applying an overlay-screen over the targeted banking app’s display with a fake login or money transfer prompt that steals user credentials and spoofs payment information.
- Documents everything the user writes on the device (e.g., login credentials and OTPs, messages, phone numbers etc.). This information is then saved to a local database before being sent to the Command & Control server (C2 server).
Mobile Malware Detection and Protection
The discovery of any new malicious apps, especially on the Android platform, raises very important questions about mobile banking security. Is your organization taking steps to protect your banking app from malware attacks once installed on your customers’ mobile phones?
Let’s review a few application security and information security strategies and technologies to counteract the ways Revive extracts data from a mobile app.
SMS OTP Delivery Method and 2FA
The first vulnerability to address involves the delivery of a one-time password (OTP) through SMS. SMS is subject to many well-known security vulnerabilities, including attacks on the underlying SS7 protocol. SIM swap attacks, and in this case SMS-messages, can be intercepted by malware residing on user’s mobile device.
Due to these vulnerabilities, it is impossible to ensure confidentiality, integrity and authenticity of payment information. This leads to non-compliance with PSD2 Dynamic Linking requirements to authenticate financial transactions. Banks and any other organizations subject to PSD2 regulations should consider more secure 2FA delivery methods for mobile platforms, such as push notifications or QR-like secure codes.
Proactive Malware Protection
The next vulnerability to consider lies outside of your app and network. Application developers too often assume that the mobile operating systems and official app stores will provide all necessary security mechanisms to ensure that hidden malware does not find its way onto a user’s device. The reality is that these mobile platforms, in this case specifically the Android OS, does not provide adequate protection against malicious software which might be installed by the end-user. Even if you build security into your application, that security must also protect the application in unknown, compromised environments.
To decrease this risk, some financial organizations embed an anti-virus component into their mobile application (through an SDK), which performs security scans on a regular basis. Alternatively, these organizations at least provide requirements and recommendations for end-users to install an anti-virus solution on their mobile device. The main pitfall here is that mobile anti-virus functionality is quite limited. Further, these anti-virus tools focus on reactive protection, such as detection of known malware. In the case of Revive, which targeted a specific organization, such an approach does not provide efficient protection.
To eliminate the risk associated with malware on mobile devices, the security paradigm should be shifted to proactive approach – providing protection not against specific malware, but against relevant attack vectors. In practice, this means that the mobile banking application should have embedded security controls to block abnormal or potentially malicious activity, such as screen capturing and overlaying, key logging attempts, etc., regardless of who is initiating the activity.
Vulnerabilities in the Functionality
Mobile operating systems, especially Android, have feature-rich, built-in functionality which can be exploited to perform malicious activity on end-users' devices. This is the case with Revive and Android’s Accessibility Services. Furthermore, the mobile platform itself may have undocumented features or vulnerabilities that carry additional security risks to applications installed on the device. Due to this, any mobile device, regardless of the operating system, should be considered an untrusted platform.
Any application processing sensitive data should implement an additional security layer between the operating system and the application itself, which provides a trusted execution environment for the internal application components.
Mobile Security for Targeted and Widespread Threats
Revive, though effective in its deployment, is not an exceptional piece of malware. Using known strategies to extract data with overlays and key loggers, the malware seeks to steal enough personal information to infiltrate the user’s banking accounts. The key to stopping such a threat is two-fold: understanding how it operates and protecting against its attacks, whether that is through push-notifications, transaction signing, and/or app shielding.