Authorities in Asia are sounding the alarm in response to a 65.5% spike in scam cases in Singapore in the first half of 2023. Of particular concern, consumers are being lured to download malicious Android apps designed to steal user credentials and skim personal data, leading to account takeovers (ATO) and fraudulent transactions.
The increase in malicious mobile apps is not unique to Asia, however. Remote access trojans (RATs) and banking trojans are a growing problem around the globe. In 2022, security researchers discovered nearly 200,000 new mobile banking trojans — a two-fold increase year over year — on both official and unofficial app stores. Wielding the power of generative AI (GenAI), criminals are creating deceptive scams that lure more victims.
In this blog post, we’ll cover the types of malicious apps that are on the rise. We’ll also summarize new security recommendations from Singapore to give you an idea of compliance requirements on the horizon for global banks. Moreover, you’ll learn how an
AI-driven identity-security platform provides better protection against malicious apps.
What’s driving the uptick in malicious apps?
With new tools and tactics at their fingertips, scammers are tricking more victims to download malware-infected apps disguised as legitimate games, office utilities and retail apps. In some cases, they’re posting ads, often on social media or third-party sites, enticing victims with discounts or promotions. Once installed, attackers use these apps to remotely access the victim’s device and steal data.
The payload often includes a keylogger that abuses accessibility permissions to record input, including usernames and passwords. Later, bad actors login and take over accounts to transfer funds or purchase goods with the victim’s credit card. These scams are more evasive, fast and damaging by design. Their tools and tactics include:
- GenAI scams: ChatGPT-like tools, including image generation apps and superior translation services, enable fraudsters to create eye-catching ads for fake goods or services. They also use bots and social media accounts to build trust, mimicking local dialects, professional language or gamer lingo, for example. They can even respond to messages and create positive, but fake, reviews.
- GenAI phishing: The same tools are making it easier for fraudsters to create polished phishing emails and spoofed websites, tricking more users to download malicious apps. Threat researchers say phishing attacks have increased by 1,265% in the past 12 months — attributed largely to GenAI.
- Deepfakes: Scammers are using GenAI to create video and voice deepfakes to enhance the illusion of legitimacy. Voice cloning is also being used in call centers to deceive voice authentication systems.
- RATs (remote access trojans): Hackers use RATs, masquerading a real apps, to gain remote access to the victim’s operating system, screen and keystrokes. They often entice users to download the bad app by advertising low-cost items. On the payment page, users are prompted to log into their bank account, effectively stealing their credentials and multi-factor authentication (MFA) codes to take over the account and the victim’s funds.
- Banking trojans: Advanced malware, like Xenomorph, Anubis and BankBot, enable fraudsters to take control of devices and bank accounts. Sold on the dark web, these trojans are customizable so hackers can tailor them to look like legitimate apps.
Among their many tricks, trojans overlay fake login forms on the screen by exploiting accessibility services. Unwitting customers enter their credentials and one-time passcodes (OTPs), which are sent directly to the criminals. This tactic has prompted some banks to ask customers to turn off accessibility permissions or uninstall apps.
New security recommendations
To mitigate the impact of malicious mobile apps, the Monetary Authority of Singapore’s Cyber Security Advisory Panel, issued a recent press release on, “Ways to Tackle Mobile Malware Scams and Generative AI Risks for the Financial Sector.”
Singapore’s security recommendations are being interpreted as a bellwether of regulatory requirements to come. They’re advising:
- Multi-pronged security
- Phishing-resistant credentials
- Protocols to prevent GenAI data leaks and manipulation
- GenAI cybersecurity for proactive threat detection and advanced cyberattack simulations to enhance the overall defense
Authorities in Singapore are expected to complete a review by the end of 2023 to provide clearer, more detailed guidelines. This gives global banks little time to prepare.
How to stop malicious apps
Transmit Security offers a holistic identity-security platform with true passwordless MFA, passkeys with an added security layer and other strong forms of MFA, anti-malware, fraud detection and journey-time orchestration powered by machine learning, AI and GenAI.
As a complete, multi-pronged security solution, Transmit Security detects and blocks malicious apps, fraud, bots, phishing and deepfakes with capabilities designed to:
- Block malicious apps: Transmit Security has developed more robust AI models with GenAI, able to analyze event clusters and respond quickly to today’s malware that’s designed to evade detection. Our platform also detects infected app behavior that’s indicative of malware, including banking trojans, RATs and login overlays.
- Prevent GenAI threats – It doesn’t matter how professional the ads, social posts, reviews or deepfakes look. The Transmit Security real-time detection engine spots risk, trust, fraud, bots and aberrant behavior with multi-method detection that analyzes the full context of all that’s happening and compares it to the individual customer’s typical behavior.
- Stop phishing at its origin: Our risk engine blocks phishing sites and URL redirects the moment a customer clicks on a spoofed website. The domain, IP address, redirects, distribution methods, devices and behaviors all provide clues.
- Provide phishing-resistant authentication: Transmit Security supports and secures passkeys in addition to offering best-in-class passwordless MFA. Any user who has a device that supports fingerprint and face ID or passkeys can be prompted to use them. Customers who log in with our passwordless MFA achieve the highest level of assurance — without ever using a password.
- Meet privacy compliance out of the box: As a cybersecurity company with expertise in data protection, we’ve built the most secure platform to protect private data at all times. We also maintain those protections to evolve quickly as regulations change.
- Simplify fraud ops: As a unified identity-security solution, Transmit Security removes identity stack complexity and lowers operational costs while closing the security gaps that plague fraud teams. With our attack simulator (a key recommendation from Singapore) fraud teams can experiment with mock data or simulate real-life attacks.
The Transmit Security Platform also includes a GenAI conversational analytics tool, so much like ChatGPT, you can get instant answers, charts or graphs to quickly interpret data about attacks, users and their security posture.
The Transmit Security Platform is strengthened by holistic, contextual analysis, behavioral biometrics, device fingerprinting and other AI-driven capabilities — all managed via one console. Read our technical brief for a deeper dive on how to prevent malicious apps.