Skip to content →


During last few years banks, and different financial institutions, have been trying to protect or prevent fraud and cyber-attacks from accessing their customers’ credentials. They increased security and login factors to avoid these kind of problems. One of these is the Two Factor Authentication (2FA), used to “help” username and password to protect the bank account.

However today, this system is hackable by malicious users. Trend Micros said:

“The attack is designed to bypass a certain two-factor authentication scheme used by banks. In particular, it bypasses session tokens, which are frequently sent to users’ mobile devices via Short Message Service (SMS). Users are expected to enter a session token to activate banking sessions so they can authenticate their identities. Since this token is sent through a separate channel, this method is generally considered secure”.

This article is a real User Case of this kind of malicious software. During our recent malware analysis targeting Italian financial institutions, we found a very powerful piece of it that can bypass the 2FA with a malicious app in- stalled on the phone. Malware like this can drive the user to download the fake application on their phone from the official Google Play Store, using a Man in the browser attack (MITB). Once on the user’s PC, the attacker can take full control of the machine and interact with him through a Command and Control (C&C) server. What we explain in this article is a real active botnet with at least 40-compromised zombie hosts.


During the last few days, we are seeing criminals developing more sophisticated solutions and have increasing knowledge in mobile and web programming. This scenario is increasing throughout the en- tire world; though concentrated mostly in Europe. Criminals are developing solutions to bypass the 2FA used by the 90% of banks developing “legal” application published in the Google Play Store and Apple App Store. These applications can steal information on the phone, intercept and send it over the network silently. The last operation named “Operation Emmenthal”, discovered by Trend Micro is acting in just this way. In this section, we will discover how a criminal can force a user to download and install the mobile application.

When malware infects the machine, and the user navigates to the online banking platform, a MITB at- tack starts injecting JavaScript code inside the browser. This injection modifies some data in the page while keeping the same structure. During the navigation the hacked website will invite the user to down- load the fake application, explaining all the steps to insert their bogus data. The app can be downloaded in two different ways:

SMS (inserting your number in the fake form you will receive an SMS with the download link from the store)


Published in Research >>


Leave a Reply

Your email address will not be published. Required fields are marked *