Last-minute paper: Making a dent in Russian mobile banking phishing

Thursday 1 October 10:00 - 10:30, Green room

Sebastian Porst (Google)

Over the last few years, phishing apps that target customers of Russian banks have been steadily on the rise. Until early 2015 that is, when some AV vendors noted a sharp decline in affected Android devices in the wild. In their reports, these AV vendors did not try to explain the reason behind that decline. That's where our talk comes in.

In this session, we show what Google's Android Security Team did during that time to help keep users safe. Starting in January 2015, we set up an internal task force to push back the spread of Russian bank phishing apps. For months, this task force met on a daily basis to track the spread of Russian bank phishing apps and worked on protecting users from these malicious apps.

The whole process allowed our team to fine-tune our workflows and learn more about mobile threats and user behaviour. Most importantly, we identified a number of ways in which these apps abused system settings and APIs to make it more difficult for users and security tools to remove them. While we are typically able to remotely remove confirmed malicious apps if required, these abusive techniques initially enabled the malicious apps to circumvent our removal tools.

After we had identified the techniques these apps used to remain persistent on phones, we updated the necessary code in the Android Open Source Project and Google Play Services to make it possible for us to remove them. Additionally, we started to actively block installation of the malicious apps to further protect users. All of this combined led to the aforementioned decline of Russian phishing apps.

This talk describes the things our task force focused on during their work to protect users from the Russian phishing apps. It describes which techniques Russian phishing apps used to stay persistent, how we changed Android to deny them their tricks, and how this phishing scam went down (literally). For the first time you will receive a look into the inner workings of Google's Android anti-malware effort and what our team does to protect users from mobile threats.

Click here for more details about the conference.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.