The latest generation of malware can automatically cancel biometric security measures.
In research seen by PYMNTS, Dutch cybersecurity firm ThreatFabric details how an Android banking Trojan dubbed “SharkBot” can take over a user’s device and cancel the biometric verification pop-up when they attempt to log in to their mobile banking app.
When this happens, apps default to PIN- or password-based verification, allowing the malware to steal login credentials by keylogging — the act of capturing information as keys are struck on a keyboard.
This evolution of the malware threat comes at a time when biometric authentication is being increasingly adopted by U.K. consumers and most of the country’s major banking apps offer facial recognition or fingerprint-based login to confirm payments.
In fact, a survey of 16,000 consumers by iProov found that over a quarter of those in the U.K. reported using facial identification to access their mobile banking app, while only slightly fewer said they don’t but would if it was available on their device.
Read more: Behavioral Analytics Balance Experience and Security for BNPL Players
This creates a major challenge because ThreatFabric’s findings, which emerged from the company’s collaboration with U.K. banks, reveal that cybercriminals are attempting to circumvent fraud prevention measures that rely on biometric authentication.
In an interview with PYMNTS, ThreatFabric CEO Han Sahin said that the tactic exposed a weakness in the fallback mechanism apps use when users cancel biometric authentication and highlights a false sense of security created by compliance-based approaches to preventing fraud.
As he noted, “biometric authentication was meant to avoid keylogger type malware attacks,” but as long as it can be easily avoided by closing a pop-up, criminals have proven perfectly capable of bypassing biometric security prompts.
To do this, the SharkBot Trojan takes advantage of Android accessibility settings designed to make device use easier for the visually impaired. And as ThreatFabric has discovered, many of the U.K.’s most-used banking apps have been targeted, with SharkBot deploying specific scripts from each one.
For now, Sahin acknowledged that being able to fall back on a password is still important for the sake of usability, especially since not everyone has a biometric-enabled device, and there are multiple instances when technical or circumstantial factors make biometric authentication impossible or inconvenient.
“You can only solve this if you have those types of fallback methods removed … but as long as we fall back [on passwords], the weakness will be abused,” he said.
SharkBot exposes a problem with treating customer authentication as a purely compliance issue, Sahin said, alluding to the European Union’s Second Payment Services Directive (PSD2).
“When you get these biometric prompts, you go through all the compliance checks,” he pointed out, “however, if you look at the actual implementation of it and the fact that you can fall back on [password-based logins], is that really … strong authentication?”
For banking apps to protect consumers from this type of threat, he suggested that more attention needs to be paid to how people authenticate themselves, rather than just assuming that because biometric login was offered, that makes the authentication secure.
Going forward, Sahin said that passwordless authentication technologies play an important role, but are some way off from mainstream adoption. Until then, banks should recognize that if users have not identified themselves biometrically, it poses a greater fraud risk, and they should consider placing restrictions on the type of transactions that can be initiated.
What’s more, he argued that there has been a misplaced trust in existing authentication flows, which extends even to assumptions about the security of mobile operating systems.
After all, SharkBot and other Trojans like it are typically distributed via legitimate apps that criminals have purchased and altered as a way to infect users’ devices. And in the grand scheme of things, Google’s Play Store and the Android operating system also play a part in allowing such malware to spread in the first place, he said.
For all PYMNTS EMEA coverage, subscribe to the daily EMEA Newsletter.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More