The rise of mobile banking has changed how businesses and customers interact. The intent: offering increased convenience and efficiency. However, this shift has also opened new doors for cybercriminals, particularly on the Android platform, which dominates the global smartphone market. According to the ESET Threat Report H2 2024[1] , Android financial threats, targeting banking apps as well as cryptocurrency wallets, grew by 20% compared to the previous period.
Fortunately, large financial institutions like banks are equipped with significant resources. This enables them to invest in and implement comprehensive cybersecurity measures, in order to protect their systems and customers. However, smaller banks, wealth management firms or insurance agencies, are often more vulnerable to cyberattacks. Why is that? While adopting secure technology practices and promoting cyber awareness among their teams is essential for them and their customers, many businesses struggle to implement such measures, leaving them exposed to potential threats.
Why target small business’ finances?
Small businesses, often limited in resources and expertise, are increasingly vulnerable to sophisticated financial cyberattacks. Businesses like accounting and payroll services that manage client payments or process sensitive transactions are particularly at risk, as a single breach can cost customer trust and have long-lasting repercussions, including financial ones.
Understanding the emerging threats and implementing proactive measures to protect both customers and business operations has become more critical than ever, especially considering some of the discoveries made by ESET Research.
Alarming trends
ESET Research has revealed an alarming trend around Android-targeted financial threats. Attackers are leveraging Progressive Web Apps (PWAs) and Web Android Package Kits (WebAPKs) to create malicious applications that can bypass traditional app store vetting processes and security warnings.
The mechanics of these attacks are sophisticated yet deceptively simple. Victims are typically lured in through phishing campaigns that exploit various communication channels, including SMS, automated calls, and social media advertisements. In all cases, victims are given a push, urging them to click on a malicious link.
By clicking on the provided link, the users are redirected to phishing websites that closely mimic official banking app sites, offering downloads for PWA/WebAPKs. PWAs are essentially websites bundled into what feels like a standalone application, using native system prompts. They are basically shortcuts to websites offering almost app-level interaction to the users. The same is true for Web Android Package Kits (WebAPKs), but they are packaged as APKs (native apps) for deeper integration with the Android system. In essence, WebAPKs are upgraded PWAs.
Once installed these apps function as fake banking interfaces, obtaining sensitive data by phishing or other means that is then transmitted to attackers. Insidiously, installing such an app does not warn the victim about “installing unknown apps”, unlike with regular third-party APKs, making the deception even harder to recognize for regular users. On Android, these phishing WebAPKs even appear to have been installed from the Google Play store.
A multi-layered approach to threat protection
For the businesses (such as banks) offering legitimate versions of the above-described apps, there can be substantial ramifications for having their property abused. From reputational damage, through financial loss due to users potentially abandoning their bank, to legal issues.
Hence, protecting against these threats requires a comprehensive strategy. Businesses need to implement a variety of proactive measures, including:
● Multi-factor authentication, which significantly reduces the risk of unauthorized access by requiring multiple verification methods. This approach combines something the user knows (e.g., a password), something they have (e.g., a smartphone or security token), and something they are (e.g., biometric data such as fingerprints or facial recognition).
● Consider usage of dynamic data encryption keys to mitigate the human risk element in cybersecurity. These data keys are uniquely generated for every transaction and change frequently making it harder for attackers to abuse stolen credentials.
● Regular security audits should help identify and address vulnerabilities before attackers can exploit them.
● Adopting stringent coding standards and conducting regular code reviews to minimize the risk of security gaps in app updates.
● Regular cybersecurity awareness training sessions keeping staff informed about emerging cyber threats and best practices for handling them.
● Deploy Artificial Intelligence which can detect unusual logins, transactions, and changes in the user account based on previous analysis of user behavior patterns.
● Cloud security enhancements, which leverage automatic updates and scalability to strengthen defenses while reducing reliance on physical servers.
● Gamified digital security education, engaging both employees and customers to reinforce password hygiene and social engineering awareness. Employees who recognize signs of phishing or malware can act as the first line of defense.
● Blockchain security applications, offering immutable and encrypted transaction records for additional protection against data breaches.
For all these actions, simplicity is key. User-friendly security measures, such as biometric authentication or password managers, should be intuitive and easy to use, encouraging businesses and their employees to adopt and maintain these practices long-term.
How to protect customers
At a time where convenience often comes with hidden risks, small businesses have an opportunity to differentiate themselves by demonstrating a commitment to security. This not only protects their operations but also builds customer loyalty in a competitive marketplace.
Educating customers is a vital step. Businesses can empower customers by highlighting their own security efforts, like two-factor authentication and secure transactions. By making security part of their brand identity and providing supportive resources, SMBs can create a safe, confident experience for their customers. Strengthening internal security measures is equally important though. Small businesses should consider implementing mobile threat detection solutions capable of identifying and neutralizing malicious PWAs and WebAPKs. They should also collaborate with financial partners, sharing intelligence on emerging threats and developing coordinated incident response plans to address attacks quickly and effectively.
Cyberattacks may continue to grow in sophistication, but with the right tools and strategies, businesses can stay one step ahead. By staying informed about emerging threats, investing in robust security measures, and fostering collaboration with industry partners, small businesses can ensure their customers’ safety.
Links:
https://www.eset.com/int/business/protect-platform/
https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22024.pdf
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit www.eset.com or follow us on Facebook, YouTube and Twitter.