Few apps are as secure as banking software on mobile devices, but these apps could still be feeding cybercriminals your most precious and sensitive information, such as login credentials and contact details.
Clickjacking makes the theft of sensitive, private information as quick and easy as signing on to an app. Malware like Svpeng illustrates the effectiveness — and the prevalence — of this type of crime.
Clickjacking allows a hacker to insert an invisible user interface layer between your fingertip and what you see on your device's screen.
You may think you're viewing the bank's display after entering your ID and password, but what you actually see is a replica of the same screen laid on top of the bank's real information.
When you enter your private information, the data doesn't go to the bank for verification, it instead goes to the file servers the cybercriminals maintain to steal account access information.
Clickjacking for Profit
In July 2017 Kaspersky Lab's Roman Unuchek, a senior malware analyst, reported on the SecureList blog that the Svpeng malware was "going viral." Svpeng initially appeared in 2013 to steal banking details from Android device users. Once it was downloaded onto a mobile device, it clickjacked user data, but the problem goes much deeper than that.
Once the malware gains access to Administrator privileges, it can choose which overlay screens to use, send and receive SMS text messages, make phone calls, and read contacts.
The malware then sends screenshots and any other material hijacked from the device back to a Command-and-Control server operated by the hackers. This could include contacts, installed apps, call logs, and SMS texts — particularly problematic because banks typically send verification codes to users via SMS texts.
Within a single week, Svpeng had spread across 23 countries, according to Unuchek.
Clickjacking Occurs on Nearly Every Platform
Although Android phones seem particularly vulnerable to clickjacking, it can occur on any machine that accesses the internet: mobile devices, tablet computers, desktop computers, and laptop computers.
In mid-2016, Google removed ads with transparent layers that fooled millions of users into clicking on links that took them to unsolicited websites. In many instances, these websites contained malware, adware, and even spyware that was downloaded and installed, sometimes without the user's knowledge.
Unscrupulous companies can use clickjacked pages to trigger one-click orders from Amazon. On social media platforms like Facebook, they create artificial "likes” on posts (called “likejacking”), or they recruit unwitting followers on Twitter. Clickjackers also download malware that forces users to fraudulently click on invisible ads, according to MarketingLand.com.
How to Defend Against Clickjacking
One of the most common ways clickjacking software gets on devices is through targeted emails. Unfortunately, in a world where hackers have stolen billions of customer accounts with contact details, it only costs pennies per account for cybercriminals to buy this information. The likelihood of cybercriminals having at least your email account on file along with its associated banking institution is high.
Watch out for emails that arrive in your inbox claiming to address an urgent matter requiring your attention. These emails require you to click a link, and that link could take you to a website that looks identical to your banking or other official website to fool you into downloading the latest version of the institution's app or filling out profile information.
If the goal is to get you to download an app, the app is probably malware that captures and steals all your credentials. In other cases, the website itself could be the source of the malware that sneaks onto your device. Regardless of how it happens, the malware presents false input layers for you to fill out.
It's also important to avoid clicking on ads on Google or Facebook that offer something too good to be true or promote news or stories that seem out of the ordinary. In some cases, clicking on these items could take you to a website that downloads clickjacking software onto your computer. Instead, look for the news on an alternative channel, such as a reputable, long-standing newspaper. If the news is real, it won't be hard to find on valid outlets.
Always download apps onto devices through authorized app libraries. These libraries have both software agents and human beings working to weed out malware and leave appropriate content. It's not always easy to spot fake or invisible interfaces, but a healthy dose of skepticism when handling anything related to the internet can greatly contribute to a satisfying user experience.