Swordfish Security: 35% of financial apps in Russia can be used to steal money
A photo: yanalya/freepik.comyanalya/freepik.com
At least 35% of the financial applications used by Russians contain critical vulnerabilities, Gazeta.Ru was informed about this by the information security company Swordfish Security, after analyzing more than a hundred mobile applications for iOS and Android. The most common problem is insecure data storage: 65% of vulnerable programs poorly protect not only personal customer data, but also logins and passwords. Most experts believe that vulnerabilities on their own are unlikely to lead to loss of money, but their use often becomes part of malicious attacks aimed at stealing money.
More than a third of financial applications used by Russians have critical vulnerabilities. Gazeta.Ru learned about this from a study by Swordfish Security, which analyzed the security of more than a hundred iOS and Android applications.
“The main categories of applications studied are: banking clients, fintech, telecom, as well as groups of applications (for example, the main application of the bank and all other utilities related to it),” said the co-founder of Swordfish Security Yuri Shabalin.
As a rule, projects of young companies and start-ups turn out to be vulnerable applications. However, researchers also found problems in the programs of large organizations.
Vulnerabilities are much more common on Android than on iOS. In addition, on average, an Android program has more problems than the same utility for technology. Apple: 8.3 pieces versus 5.3. According to the researchers, Android is more vulnerable due to the wider capabilities of the platform itself. It provides many more ways of interaction between the application and the user, which under certain circumstances can be malicious.
Violations in data storage rules turned out to be the most common problem: researchers encountered them in 65% of vulnerable programs.
Most often, tokens (encrypted authorization data for communicating with other services) and personal data of users are at risk. Less often, developers forget to “hide” logins and passwords from accounts, as well as keys for encrypting transmitted information.
“This type of vulnerability can allow attackers to obtain personal information of the user, and in the worst scenarios, to completely compromise the account,” the authors of the study noted.
In 35% of vulnerable applications, there are no encryption algorithms for information transmitted to the server at all. Because of this, the same username and password can potentially be intercepted by an attacker via public Wi-Fi. In 18% of cases, applications have problems with session closing speed, i.e. users logging out.
“Due to too long session lifetime or incorrect implementation of the exit function of the application, an attacker can gain access to a user account using session identifiers,” Swordfish Security explained.
In 10% of utilities, unsafe interprocess communication was found. Because of it, a virus on a smartphone in the form of application “A” can “look” into the files of a vulnerable application “B”, which is fraught with various consequences, up to password theft.
Swordfish Security has notified the developers of all vulnerable programs that they have discovered problems.
Everything is (not) bad
Yuri Shabalin from Swordfish Security believes that the vulnerability itself in most cases is unlikely to cause the loss of funds accessed from the application. However, its use can become part of the attacker’s scenario, which set out to steal the victim’s money.
“As a rule, in order to successfully carry out an attack with theft of funds, it is necessary to build a vector of several vulnerabilities, or to obtain additional data through social engineering (phishing email, message, call). Each security problem can be built into different scenarios if necessary, and this is what we are seeing now with attackers,” he said.
A similar opinion is shared by the head of the department of research and development of code analyzers Positive Technologies Vladimir Kochetkov. According to him, the detected problems simplify the work of an attacker, but using only them, he will hardly be able to get to bank accounts.
“As a rule, scenarios of real attacks on banking systems involve the use of both vulnerabilities in the program code of banking systems and their client applications, and elements of social engineering (including automated) aimed at misleading the user and performing actions that lead to embezzlement of his money,” the expert said.
In turn, the CEO of R-Vision Alexander Bondarenko noted that in some cases, individual vulnerabilities can actually be used to steal money. However, their deployment will be so complex and fast that few cybercriminals will want to mess with them.
“Yes, vulnerable applications can be used by hackers to steal data, or to steal money by spoofing outgoing payments or sending unauthorized payments.
This is a more complicated way, since it is first necessary to somehow infect the user’s mobile device itself. Given the fact that there are much simpler methods of stealing money from the public with or without the use of computer technology, attacks on mobile applications are relatively unpopular,” he said.
Even more optimistic was the chief expert “Kaspersky Lab” Sergei Golovanov. According to him, the use of application vulnerabilities in money theft operations is rarely used. The expert claims that much more often holes in the security of mobile programs are used in targeted attacks, when the attacker is faced with the task of finding out something about a particular person.
How to be
Swordfish Security gave several recommendations, following which you can level the chance of losing money through the application.
First, you should not install applications if you are not sure of their origin and reliability. You need to be especially careful with applications from third-party sources. First of all, with their “modified” versions, like those where ads are disabled.
Secondly, you should avoid open Wi-Fi hotspots. If the connection cannot be avoided, then you need to close the applications that operate with payment data.
Thirdly, you need to enable two-factor authorization in all applications where this is possible, and also not use the same passwords in different services.