According to Symantec Corp., mobile phone banking transactions are more vulnerable because of Android malware that eavesdrops on incoming SMS messages and forwards them to another SMS number or server. This sort of data leakage represents a significant risk, both to individuals and to organizations. The potential exists for attacks like these to target Internet banking services that send mobile transaction authentication numbers via SMS. Many banks send authentication codes to your phone via SMS each time you do an online transaction. This means that just stealing a login password is no longer enough for criminals to raid your account. But malware on your phone, such as the Zeus-based Andr/Zitmo (and similar versions targeting BlackBerry) are capable of intercepting those SMS messages.
Consider the following hypothetical scenario. Through a conventional phishing attack, a victim gives criminals sufficient information to allow them to sign in to your mobile banking account and also port your phone number (this has happened). They can now log in to your online bank account while also receiving an SMS containing the second-factor authentication token needed to complete a transaction. Through the use of a malicious Android app that harvests SMS messages in real time and in concert with a social engineering attack, attackers open a brief window of opportunity to steal this token and use it.
Consider the following hypothetical scenario. Through a conventional phishing attack, a victim gives criminals sufficient information to allow them to sign in to your mobile banking account and also port your phone number (this has happened). They can now log in to your online bank account while also receiving an SMS containing the second-factor authentication token needed to complete a transaction. Through the use of a malicious Android app that harvests SMS messages in real time and in concert with a social engineering attack, attackers open a brief window of opportunity to steal this token and use it.
