Banking Malware & Attack Vectors Outlook For 2020 (Part 2) |

Desktop Malware Coming from Spam/Phishing e-mail

Excel File With Macros

Microsoft Office applications, specifically Word and Excel, feature powerful macro languages, and macro is still a popular method for malware delivery. These days macros are disabled in applications by default. Malware author must convince the user to enable the macros, so the malware gets executed. An infected file is usually delivered by an e-mail, and it can also be inside a ZIP file.

EXE File Masquerading Itself With Different Extension In Its Name

The file extension is usually hidden to the user. Yet, the attacker tries to persuade the user that he is opening an Office file by adding the office extension in the file name. The name appears, for example, as Invoice.xlsx while “exe” stays hidden, but the entire file name is actually Invoice.xlsx.exe, and the malware gets executed when a user opens it.

Visiting pages where Flash with vulnerabilities is loaded, Flash opens Win PowerShell and executes code (file-less malware attack)

Attackers try to exploit potential software vulnerabilities to take control of the affected system. A malicious software is loaded by the user in Flash. The player enables the attacker to exploit these vulnerabilities.

Malware Code Execution via Webinjection Technique

Webinjects are usually used for stealing sensitive data, such as a cookie/session (man-in-the-middle attack) or for transaction tampering.

Website clickjacking

Tricking users into clicking on the website element — which is disguised as another, using transparent or concealed layers is another way how you can get malware to your computer. The user simply clicks on a seemingly harmless popup, but malware is downloaded instead.

Other file-less malware

File-less malware is leveraging trusted processes such as PowerShell (Ramnit Trojan), Microsoft Office Macros (Ursnif) WMI. The malicious code present in already installed legitimate desktop applications (web browser) or mobile app (usually to spy on users)

Mobile malware tricks

As said before, malware often misuses app permissions and tricks users into granting them. Examples of such permissions are:


Attackers use an overlay technique to render an extra layer on top of other apps. Overlays can intercept user input that is intended for the underlying app and capture sensitive data.

SMS Stealing

If malware requests access to SMS messaging, and user grants it, it might lead to leakage of OTP (one-time-password). Malware can forward this password to to the attacker using HTTP or directly by re-sending all received SMS. Prevention: Suspicious permissions are namely READ_SMS, RECEIVE_SMS, SEND_SMS.

Accessibility Abuse

It is a part of the Android operation system. It allows people with disabilities to use their phones without obstacles. Malware of the Anubis family (described in the Part 1 of this article) serves as a perfect example of the Accessibility Abuse attack. When the malware succeeds in receiving the accessibility service permission, it can grant itself any further permission it wants and gain access to OTP/2FA, as we described earlier on our blog.

Abusing Android’s Multitasking System

An example of abusing multitasking is StrandHogg vulnerability. The vulnerability makes it possible for a malicious app to ask for permission while pretending to be a legitimate application. For example, this means the malware can ask for permission to read SMS messages when the victim opens the legitimate SMS application.

Keylogging Apps

Applications using this keylogging are usually combining phishing techniques with the extra ability to misuse permissions (overlay/SMS) rights to make a payment transaction on the user’s behalf.

Trojanization of App

Probably the rarest attack listed. These consist of legitimate apps that, after an update, serve as malware droppers — they install additional apps to the device, which can be malicious.


Without any doubt, we will increasingly hear more about mobile attacks. The mobile platform is becoming the primary banking tool for most. Attackers are logically targeting mobile apps exploiting new ways how to fool users. Nowadays, with the usage of sophisticated methods emerging every day, even trained and security-aware users might be tricked and eventually robbed.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store