WebInject to mobile attack

On multiple occasions, through bugFraud, we have detected WebInject attacks that begin with a computer banking Trojan and which, on account of the protection methods offered by banking institutions, have had to adapt to attack the mobile device.

Cybercriminals use different social engineering techniques to manipulate users with the intention of getting them to install an application in their mobile phones that serves to bypass the bank’s two-factor protection method (2FA) and even to retrieve more of the victim’s data in order to continue exploiting them at a later date.

One of our clients is constantly suffering from this type of attack; hence, here at buguroo LABs, we thought it would be a good idea to give you a general description of the threat, explaining how it works and how this threat type has adapted to other platforms.


Credential and banking data theft

The WebInject we are going to talk about checks specific fields on the banking institution’s website in order to detect which page the user is on.

If they are on the authentication or customer login page, the malware will steal the identification number and the password.

If, on the other hand, it has already been authenticated, it will try and retrieve banking information, such as active accounts and the available balance. In this way, the cybercriminal can find out what the victims are like and decide who to steal from at a later date.

Furthermore, in the WebInject analyzed, a specially-designed HTML is used to attempt to get the user to enter a debit card and their PIN in order to have more means at their disposal through which to steal money from the victim’s accounts.



Figure 1. Debit Card Theft

Tricking the victim

By using malware, the cybercriminal tries to make the victim think that their bank has a new security application and, in this way, manage to access their mobile device.


Figure 2. Device selection


Depending on the selection made by the victim, the WebInject will attempt to install an application that affects their mobile phone.

As there is no application for IOS in this attack, if the victim selects the Apple brand, they will be safe.

If, on the other hand, they should choose any of the other brands, it will try and get the user to download and install a malicious Android application.

APK installation

In order to ensure that the installation is successful, the browser will show the user what changes they have to make in their mobile device and will ask for a code generated by the malicious application so that the one which has been infected correctly can be viewed from its comprehensive list of victims.



Figure 3. Installation from unknown sources

SMS theft

Once the application has been installed, it requests privilege escalation and a change in the SMS management application. In this way, it will gain access to the SMS received and will process them in order to send them to the attacker’s control panel at a later date.


Figure 4. Reading received SMS


As we can see, banking Trojans have gradually evolved so that malware is already able to track all the devices connected to the victim in order to bypass two-factor authentication measures (2FA).

At the present time, protection against these attacks can be tackled from different perspectives. On the one hand, we can protect the user infected by the banking Trojan and block the WebInject detected or, on the other, we can detect the malicious application attempting to make changes in the mobile device. Finally, an Account Takeover can be detected and use of the stolen credentials blocked.

Our bugFraud solution serves to address these different perspectives and to protect both the victim and the organization and, in this way, prevent fraud.


Deep Learning for Online Fraud Prevention

Posted by David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of Revelock’s development team, managing task distribution and negotiating with the Head of Technology.



bugFraud starts detecting a likely account takeover attempt from the moment a fraudster opens a login page and enters a victim’s compromised credentials. No matter what or who is executing an attack –human or bot – bugFraud will immediately detect anomalies across several verification parameters.


Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video

Did you like it? Share in your social communities.