How Banking Trojans Bypass Two-Step Verification

Do you think that the SMS system with one-time passwords reliably protects your mobile banking? Think wisely. In this article, we explain how Trojans bypass the two-step verification system.

The two-step verification system via SMS is widespread among banking institutions. Of course, this measure is much more secure than the use of a simple password, but it is not totally unbreakable. Security specialists discovered 10 years ago that this protection measure could be circumvented, when it was beginning to gain popularity.

So did malware creators. This is how the developers of banking Trojans easily bypassed one-time passwords received via SMS. Is that how it works:

1. The user opens the legitimate banking app on their smartphone.

2. The Trojan detects which app is being used and overlays the legitimate interface with a fake copy. The fake screen looks the same as the real one.

3. The victim enters their username and password in the fake app.

4. The Trojan sends the access credentials to the criminals. They use this data to access the user’s bank account.

5. The criminals then send a financial transaction request to your account.

6. The victim receives an SMS on his mobile with a one-time password.

7. The Trojan extracts the password from the SMS and sends it to cybercriminals.

8. In addition, it hides the SMS from the user. This is how the victim does not realize that these operations are taking place until she checks her bank account and transaction history.

9. The criminals use the intercepted password to confirm the transaction and receive money from the victim.

We are not exaggerating when we say that any/all modern banking Trojans know how to bypass two-step verification systems that use SMS. In fact, malware writers have no choice, since all banks use this protection measure, so Trojans have to adapt to it.

There are a large number of malicious apps that can do this, many more than you think. In the last two months alone, our experts published three detailed reports on different malware families. Each one more alarming than the last:

1. Asacub: a spy app that evolved into a Trojan and learned how to steal money from mobile banking.

2. Acecard: A powerful Trojan that is capable of overlaying interfaces of around 30 different banking apps. By the way, mobile malware is perfecting this technique: initially, Trojans targeted a single app from a specific bank or payment service, however, now they can spoof multiple apps at once.

3. Banloader: a cross-platform Trojan of Brazilian origin that is capable of starting simultaneously on PCs and mobile devices.

So, as you can see, 2-Step Verification does not protect you from banking Trojans. It has been failing in this purpose for years and the situation is not getting better. Therefore, you need to take additional security measures.

The basic rule that you should follow, although it is not 100% safe, is not to download apps from unofficial app stores. On many occasions, Trojans have managed to circumvent the security of the Play Store, and even the App Store.

Therefore, the most reliable solution is to install a good antivirus for mobile devices. You can start by installing the free version of Kaspersky Internet Security. It is a basic version, so you will have to periodically start the manual scan of your devices. The full version is paid, but it catches viruses instantly.