Helping a mobile malware fraud victim

Back at the start of October, we had a call from the BBC asking if we could help unpick a fraud. The victim had been defrauded of ~£12,000 through a rogue bank transfer and mentioned that her Android mobile phone had been behaving oddly.

Of course we would help; who wouldn’t be up for the opportunity to educate others how not to be taken advantage of?

We had unpicked a similar mobile fraud case a few months earlier and had success with helping the victim recover their funds.

However, in this case we weren’t hopeful. Even talking the incident through with the victim indicated that there was malware on the phone that had most likely scraped banking credentials.

I couldn’t see that the bank involved were going to refund the stolen monies. This could open the floodgates to the banking sector having to refund all malware-based fraud thefts.

So we had to have a difficult conversation with the victim. Whilst it was likely we could discover how she had been scammed, it was unlikely we would be able to recover her funds.

Anyway, we have a great team of digital forensics and incident responders here at PTP. As it was a mobile app, we teamed up with one of our Android gurus, so Dan Gildersleeve and Dave Lodge set to it.

BBC’s Rip Off Britain delivered the phone safely to us.

Watch the show

The BBC Rip Off Britain show was aired this morning. You can watch it here (you’ll need an iPlayer account).

Summary

On the 17^th of July 2023 at 19:57:43, a malicious application named PDF AI: Add-On was installed on the victim’s device.

At some point after installation, the user will have opened the application, at which point it will have requested permissions to use Android’s Accessibility features, which the user will have accepted. Prior to the accessibility permissions being granted, the application has been demonstrated to have little (if any) malicious functions.

Once these permissions were granted, the application was able to exploit a series of functions offered by the granted permissions to conduct actions including the following:

• Log user inputs
• Access user data stored on the phone such as SMS messages
• Prevent removal or investigation of the application
• Present spoofed on-screen prompts to manipulate the user into entering sensitive information

At this point, the application will likely have conducted no further overt actions that would be immediately perceivable to a standard user.

In the background, however, the application would be logging user inputs and actions and feeding them back to the attackers. The affected device would likely exhibit unusual behaviour such as closing certain menus and preventing the phone from being powered off. The user reported that in the time before the fraudulent transactions took place, they had experienced noticeable drops in their device’s performance. This is likely related to the presence and constant running of the malicious application.

Evidence was identified that indicates some capability to present fake sign-in pages relating to Barclays specifically. It is likely that the user would have entered sensitive data into any such pages, unaware of the compromise.

Ultimately, the data entered by the user, which would have been captured by the malware, would have included the requisite details to access their online bank accounts.

On the 2^nd of August 2023, the owner of the device became aware of fraudulent transactions. This is highly likely to be a result of the malware operator having access to the victim’s banking credentials.

There’s a more detailed analysis of the issue here.

So, we gave our report to the victim and the BBC (with permission, of course!). Pretty much what we had expected, given the early discussion with the victim.

The BBC then took the report to the banks involved. We thought this was the end of the story.

Imagine our surprise when we got a call to say that one of the banks had refunded the victim in full!

I can’t tell you how happy this made us.

Advice

It’s really hard for the average user to determine what apps are legitimate and which are rogue. Google is making efforts to improve the security standards of apps in the Play Store

We believe this app was installed through the user clicking a link. A subsequent permissions pop up then requested additional permissions, which gave the malware the access it needed.

Permissions pop ups are familiar to the user. Knowing which are legitimate is hard. If you don’t recognise the app, don’t give it permission.

If your phone starts to behave oddly (e.g. not letting you turn it off, not letting you close certain apps, not letting you turn off the screen) then it’s probably time for a factory reset

Don’t forget to keep your phone backed up regularly. That way, if you have to factory reset, you won’t lose much data.

When backing up, choose a backup that was from before the phone started playing up, otherwise you’ll just re-install the malware!

If you’re concerned that your bank credentials may have been compromised, call your bank immediately. They can lock your account temporarily whilst the problem is unpicked. Best not to use your mobile, if you’re concerned about it.