Beating Android.Bankosy Malware With Call Forward Detection

With mobile devices becoming increasingly integral to our daily lives, it's no surprise to see more types of fraud emerge to exploit these same devices. And as fraudsters get more sophisticated in their attacks, it remains more important than ever for companies to be vigilant in monitoring for new types of fraud and stay up-to-date on how to protect their users and their platforms.

What Is Android.Bankosy?

First discovered by Symantec, the personal data stealing malware, Android.Bankosy, has recently been updated so it can steal one-time passcodes delivered via voice call-based two-factor authentication (2FA) systems. It works by using the call forwarding feature to hijack a user's mobile device and redirect all voice traffic (including one-time passcodes) to the hacker's phone. It is a targeted type of attack that requires the malware be installed on mobile devices (typically done through malicious app downloads) in order to open backdoor access to the device for the hacker. So far it is being seen most commonly in banking and email accounts.

What makes this type of malware so effective is the way it cleverly overcomes standard security policies and practices (such as with phone-based 2FA), in which all parties involved are doing their due security diligence. Without access to the full scope of information created by the malware however, traditional security measures only serve to feed into this fraud, rather than block it. That's where TeleSign's Call Forward Detection (CFD) feature comes in.

How to Detect It

TeleSign Voice Verify offers a CFD feature that includes the ability to detect when a call is being diverted to another phone number.  The CFD feature provides indicators for businesses to determine whether to block, allow or require additional user challenges for a verification to proceed. The key lies in using phone number intelligence to monitor for unconditional call forwarding--meaning calls which are being forwarded in any and all circumstances as opposed to conditional call forwarding, which typically only happens when a number is busy or out of coverage. Unconditional call forwarding, which is rare, is a key indicator of fraud and TeleSign uses proprietary data services to make customers aware when this is happening.  CFD operates in real-time prior to a verification call being initiated and the service quickly checks for call diversion. With integration of Voice Verify and any policy enforcement based on the business rules your organization applies, CFD can block calls, allow calls or allow and adjust risk levels.

Some of the most common uses of call forwarding fraud (such as with Android.Bankosy) occur in two-factor authentication where the fraudster is stealing one-time passcodes; in financial services when PINs are being delivered or confirmed and in cases of password resets so fraudsters can steal account info to take over an account. Ultimately, integrating some form of call forward detection will help mitigate the risk of fraudulent verification from proceeding while reducing brand damage and cost to your business.

Despite the fact that CFD can be very effective for businesses looking to combat call forwarding fraud, there are also steps consumers can take to avoid being victims themselves. This includes being hyper vigilant on reviewing apps you download and reviewing permissions from downloads before accepting their conditions.

To learn more about Call Forward Detection, check out our Voice Verify API.

Talk To An Expert

Interested in learning about how TeleSign's identity and engagement solutions can prevent fraud while fostering secure and global growth for your business? Let's chat.