Recently I saw this article suggesting that 97% of mobile transactions in Asia are fraudulent? Can this really be true? I decided to investigate.

The article highlights an excellent report published by Secure-D looking into mobile ad fraud, which it appears is a largely hidden multi-billion dollar enterprise, impacting emerging markets in particular. As you might expect with an enterprise of this size it is multi-faceted and complex. Two of the ways fraudsters are making money are as follows:

  • Fake clicks: The internet runs on advertising revenues obtained when a user clicks on an ad in a mobile app or on a web page. Fraudsters have numerous ways to create fake clicks, that look like they’ve come from a real person, and then be paid the associate fee. One way that they do this is by deploying malicious apps to the devices of unsuspecting users often disguised as a legitimate app offering an innocuous service like providing weather information.
  • Hidden purchases: Many mobile users in emerging markets are unbanked and use their prepaid mobile airtime to purchase goods or services. Those malicious apps deployed to devices can also then siphon off funds from users without them realising it is happening. They just see their airtime running out more quickly than it otherwise might.

It is difficult to overstate the size of the ad fraud problem highlighted by Secure-D. They report for example that 23 million devices are compromised in Brazil alone. This level of fraud clearly should be huge concern to both advertisers who are losing a ton of money and law enforcement as that money is going into the hands of criminals. What does it mean for our customers, such as those providing mobile payments and mobile banking services?

Well some of the underlying techniques employed by the mobile ad fraud community should be of equal concern to financial services. These include:

  • Click-Jacking, also known as “Tap-Jacking”, where a software-based screen overlay is placed in front mobile app’s UI that is capable of capturing touch events for malicious actions. As well as intercepting user actions the invisible UI overlay could redirect the user to a phishing website, which if done in the context of a mobile banking interaction could clearly be problematic.
  • Phone-Jacking refers to taking control of a mobile device. There are several ways to achieve this through a combination of malicious apps and social engineering. The result can be malware that sits in the background unbeknown to the device owner. In the ad world, this allows fraudsters to exploit devices remotely to generate fake clicks. In mobile banking it could allow fraudsters to capture sensitive consumer data as well as using the device to gain access to backend services.
  • Emulators are used in ad fraud to generate fraudulent clicks and traffic. These may involve hundreds and thousands of virtual devices running on desktop and server grade computers. Emulators present a slightly different challenge to banks. If their use is not detected an attacker may be able to tamper with the mobile banking app as it executes, undermining the mobile banking processes and business flows.
  • IP Spoofing is used in ad fraud for making lucrative gains by changing the origin of ad clicks and views. In some cases, attackers may use it to hide their digital tracks. In payments and banking, an attacker may also employ similar techniques to avoid and slowdown detection.

More importantly the criminal community is not just focused on exploiting weaknesses in advertising systems or on emerging markets. Organised crime is global and can strike anywhere. If you work for a financial services provider in a developed market then perhaps a question you should be asking yourself is “How well do I trust my customers not to inadvertently download malware on their devices?”. I think the answer for many customers will be “not very”.

We are quietly working with banks and others to protect their customers as they interact with important services like banking through their mobile phones. Please get in touch if you’d like to find out more.

References:

[1] The Invisible Digital Threat, Mobile Ad Fraud 2019 Report, SECURE-D. More information is available here https://www.secure-d.io/mobileadfraud2019report/

Lishoy Francis

Lishoy Francis is a Senior Consultant at Consult Hyperion. He specialises in NFC/RFID, Secure Elements - (U)SIM and embedded UICC, Trusted Execution Environments (TEE), standards, and applied cryptography. He is currently managing Consult Hyperion’s Information Security activities within a number of North American and UK banks, for whom he has designed and implemented application security frameworks and security protocols; evaluated the security design of their mobile applications, performed security tests, and reported any security related findings to the customer. He leads Consult Hyperion’s security testing (penetration testing) practice and is responsible for managing a team of ethical hackers who are focused on testing mobile banking and wallet applications prior to commercial release. He has been acknowledged by Research in Motion (RIM) for finding a security issue in their NFC API and has authored over 14 publications in peer-reviewed international journals, security conferences, and workshops. He is a named inventor of several security techniques and technologies.

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: