HomeMicrofinance
Microfinance

Dvara Research Blog | The Use of Malware in UPI related Fraud 

sc4uqte8559
By sc4uqte8559
0
20


Author:

Shreya R[1]
One-click frauds: An introduction

In a recent study to evaluate the effectiveness of consumer awareness campaigns relating to United Payment Interface(UPI) frauds, Dvara Research interviewed ~85 low-income, new-to-UPI users from metro cities and small towns[2]. In these interactions, some respondents reported having lost money from their UPI account by simply clicking on a link received on their phone. The attacks on their funds were carried out without the user divulging any information to fraudsters or engaging with the links beyond clicking on them. Complaints of such single-click frauds have also been received by Cyber-crime officials in different parts of the country (The Times Of India, 2020) (Mint, 2022). These reports and our findings suggest that fraudsters can now attack UPI accounts without preying on users for sensitive financial information via social engineering[3]. As a result, UPI users stand to lose money to frauds even when they refrain from divulging information to fraudsters by interacting with them. This article focuses on such minimum-interaction UPI frauds, the manner in which they are distributed and deployed, and the consumer protection threats they pose.  

UPI’s Security Architecture and What it Means for Frauds

Developed by the National Payments Corporation of India (NPCI), UPI is India’s most widely used digital payment infrastructure. In March 2023, UPI registered 8,685.3 million transactions of INR 14,104.4 billion in value across all UPI-integrated applications. Simultaneously, the union finance ministry reported that 95,000 UPI fraud cases were recorded in the year 2022-23, 84,000 in 2021-22 and 77,000 in 2020-21 (Rajya Sabha, 2023). This shows that the number of fraud cases in UPI has been consistently on the rise. Moreover, the true number of fraud incidents is likely much higher than reported as affected users often do not report fraud (Blackmon, Mazer, & Warren, 2021). With such pervasiveness, the issue of fraud in UPI is both a policy imperative and a customer protection concern.

UPI frauds are essentially the theft of money from a UPI user’s account through deception or misrepresentation, executed either through social engineering or malware. To safeguard users from fraud and unintended execution of transactions, UPI transactions are secured by a two-factor authentication (2FA) mechanism. The first factor is the fingerprint of the mobile user’s device [4] and the second factor is the m-PIN set by the user that is required to validate each transaction (National Payments Corporation of India, n.d and 2016). Therefore, to defraud a UPI user, the fraudster must break into both these safeguards. This is done either through tricking the UPI user into authorising a fraudulent transaction, for instance sending a ‘collect request’ in the garb of a ‘receive request’ or by illicitly obtaining sensitive information that would allow fraudsters to authorize the transactions themselves. Fraudsters often use social engineering to trick owners into authorising unintended transactions by typically manipulating users into revealing the OTPs, m-PINs and passwords.

Alternatively, fraudsters may resort to malware in combination with light-touch social engineering to obtain sensitive information that allows them to take control of the user’s UPI account. A recent study by Deepstrat and the Dialogue analyzed First Information Reports (FIR) registered with Gurugram Cyber Police Station between August 2019 and September 2020 and found  high prevalence of social engineering methods due to their low cost and high success rate (Mohan, Datta, Venkatanarayanan, & Rizvi, 2022). However, the incidents of fraud through malware are equally concerning as they can limit the need for fraudsters to interact with users, making these attacks even harder for users to detect. Next, we look into the most commonly used malware.

How Does Malware Circumvent two-factor authentication?

Malware or malicious software is an umbrella term for any type of software intentionally designed to harm computer systems. Regulators and authorities have long cautioned against cybercriminals employing malware to gain access to the financial accounts of users (Reserve Bank of India, 2022). Several types of malware can inflict different types of harm, or ‘threats’ on users such as credential exposure, surveillance and invasion of privacy, extortion, identity theft, and financial loss, among others (Cisco).

Banking trojans are a type of information-stealing malware, commonly used in digital payment frauds. As the name suggests, they are malware-infested malicious apps in the guise of seemingly useful apps such as a flashlight, a game, or a file reader (Investopedia, 2022). However, once downloaded, they steal sensitive information, such as login credentials, UPI PINs, and OTPs, by capturing data from the user’s mobile device. Over time it can collect enough of the user’s information to bypass 2FA (Cybereason Nocturnus, 2020). Given that, in the case of UPI frauds, the goal of the attacker is to obtain information that can give them access to UPI accounts, and banking trojans can be instrumental in realizing frauds. This is also borne out by evidence, the targeted apps listed in the threat report of BlackRock, a banking trojan, include a UPI application (Threat Fabric, 2020).

EventBot is another banking trojan that emerged in March 2020. It disguises itself as a useful application such as Microsoft Word or Adobe Flash. However, it is capable of and deployed for reading and intercepting SMS messages, recording keystrokes and retrieving notifications about other installed applications and content of open windows.

Such malware may potentially circumvent the need for extensive social engineering, and, realise successful frauds without the user having to actively engage with the fraudster by means of actively sharing information. Therefore, to prevent such frauds, users ought to be made aware of them and about the common distribution channels used by fraudsters to deploy malware.  Next, we examine these distribution channels.

How is Malware Distributed?

Some of the ways in which malware can reach the devices of UPI users include:

  1. Phishing links:

    The analysis of FIR data by The Dialogue and Deepstrat showed that some frauds were carried out by sending users a link, which when clicked, installs malware. About a quarter of the 1228 cases of frauds were realized by sending links to the affected users. These fraudulent messages are circulated through SMS, instant-messaging applications, emails, and social media. They are disguised as messages from authoritative senders such as banks or regulators and are designed to bait the recipient into clicking on the infested link. The RBI also cautions users against clicking on unverified/unfamiliar links, which, makes them vulnerable to downloading malware (Reserve Bank of India, 2022).

  1. Malvertisements:

    Malvertisements, also known as malvertising, refer to online advertisements that contain malicious code (Center for Internet Security). Malvertisements can exploit vulnerabilities in the user’s browser or operating system to deliver malware to the user’s device, such as adware, spyware, ransomware, or trojans (Center for Internet Security). They can also trick users into clicking on links that download malware by mimicking legitimate ads (Center for Internet Security). For instance, it was found recently that hackers used advertising in Google search results to set up websites that promoted trojan apps (Ilascu, 2023).

  1. Downloading apps from untrusted sources:

    Trojan malware is often disguised as legitimate apps and distributed through third-party app stores. EventBot and BlackRock are both distributed largely via this channel (Threat Fabric, 2020) (Cybereason Nocturnus, 2020).

  1. Juice Jacking:

    RBI also identifies that fraudsters use public charging ports to transfer malware into users’ phones when connected. This is known as juice jacking (Reserve Bank of India, 2022).

  1. Insecure or fake Wi-Fi networks:  

    Fraudsters may create a fake or rogue Wi-Fi network that looks legitimate and trick people into connecting to it. Once connected, the attacker can use the Wi-Fi connection to disseminate malware (Proof Point).

  1. Exploitation by technology assistants:

    New-to-tech users are likely to seek assistance for accessing and using UPI. Anecdotal evidence suggests that due to a lack of oversight, people providing such assistance often download malware in the pretence of aiding (Kumar, Security Analysis of Unified Payments Interface and Payment Apps in India – Paper presentation, 2020).

In the past, the high cost of obtaining and deploying malware made it unattractive to fraudsters. However, changes in the ecosystem of cybercrime are making malware easier and cheaper to access, distribute, and deploy. A report by HP Wolf Security states that an increase in the supply of malware has lowered the cost of cybercrime and the barriers to entry (HP Wolf Security, 2022). The report finds that the average price of information-stealing malware was found to be 5 USD. It also states that malware is increasingly being sold in the form of Malware-as-a-Service (MaaS). Thus, buyers do not need any expertise in cybersecurity and nearly anybody can administer a MaaS. The report also finds that malware authors are moving beyond simply selling their product to offering their mentoring services and creating detailed playbooks on how to use their malware.

Implications for Customer Protection

All users of UPI are vulnerable to malware-enabled fraud. It has been documented that many sophisticated users fall victim to both social engineering fraud and hacking (The Economic Times, 2019). However, there is also a digital security divide that can affect low-income, new-to-tech users disproportionately.

First, as low-income, new-to-tech users often rely on assistance to access digital payments, they are vulnerable to exploitation by unofficial assistance providers (Kumar, Security Analysis of Unified Payments Interface and Payment Apps in India – Paper presentation, 2020). Second, secure hardware and software can sometimes be unaffordable to low-income individuals (Anthony, 2023). It has been identified that security concerns are often worse in low-priced Android phones (Morrison, 2020). This is because several lower-priced phones are made by lesser-known manufacturers who may not follow a standard vetting process (Morrison, 2020).  Moreover, low-income users are also likely to use older devices that are no longer supported with regular software updates. This elevates the chances of malware taking root and exposes low-income, new-to-tech users to increased threats (Anthony, 2023).

Further, fraudsters may no longer have to rely on users to reveal detailed information and instead use malware to steal information from their devices. Most malware require the fraudster to interact with the user only briefly to gain access to a device. This is because, even after the user installs a malicious trojan app, their authorisation is required for granting permissions that will allow the malware to gain access to the device. However, granting of such permissions is often the last interaction the banking trojan will have with the user. Upon obtaining these permissions and privileges, it can often grant itself all additional permissions without requiring user’s authorisation.

Moreover, malware often hides its icon from the device screen (McAfee, 2020). Thus, information is stolen without the user being aware of the malware’s presence in their device. Moreover, banking trojans are disguised as apps that may be completely unrelated to payments or banking. Thus, users may not be readily able to attribute financial losses to malware. Further, even users who are cautious about sharing credentials and PINs with impostors attempting to seek them may still be vulnerable to malware attacks.

It is quite likely that one-click frauds reported by our respondents in the primary study were indeed realized by malware. Dvara Research’s work elsewhere suggests that the permissions that apps seek for accessing various kinds of data are warped in lengthy terms and agreements. Even more worryingly, users are disposed to accept those terms and conditions, almost by default, and not register it as a salient event. Therefore, users may have only ever clicked on the link and agreed to the terms and conditions, without actively sharing any sensitive financial information, and found themselves losing money. As discussed above, most malware is distributed through social engineering tactics such as phishing, malvertisements etc. which may not readily register as dubious with users.

One-click frauds, without any social engineering, are most likely feasible when hackers identify vulnerabilities in the operating system’s security features. In those instances, malware can gain the required permissions without any user interaction. This was the case in the ‘Towelroot Exploit’ in 2016 when a vulnerability in Android allowed malware to take control of a device without requiring any special permissions or user interaction (Threat Post, 2016). Such vulnerabilities are rare and often quickly patched by device manufacturers and software developers.

Some malware may also target vulnerabilities in UPI applications. While most banking trojans typically do not exploit any operating system vulnerabilities but trick the user into giving access to the device, some trojans may take advantage of security flaws in third-party apps installed on the device. For instance, Andorid.Ginp is a banking trojan that targets vulnerabilities in specific banking apps to overlay fake login screens on top of legitimate ones (IBM Security Trusteer, 2019). However, such vulnerabilities cannot lead to one-click fraud as social engineering is still needed to bypass security features of the operating system.

Call to Action

The prevalence of mechanisms that can bypass 2FA and defraud vulnerable users of their money is both a pressing customer protection and policy concern. It requires systematic thinking on part of several agencies to ensure that protocols evolve at the same speed as new variants of fraud.  These agencies include NPCI, third party application providers, payment service providers, OS providers, regulators and law enforcement agencies. Systems to gather intelligence on frauds, and promote registration of such frauds, allowing for a nimble legal framework to respond to them can emerge as crucial systematic levers in protecting customers from frauds.

However, an intervention that can be brought into effect right away is investing in awareness campaigns around technical fraud. The RBI and NPCI have been running awareness campaigns to educate consumers about social engineering scams and how to avoid them. These communications largely warn users against sharing OTPs, PINs and other sensitive information with scammers. Similar campaigns could be designed to inform users about banking trojans and issue advisories against actions like downloading apps from unknown sources, using unsecured Wi-Fi networks and public charging ports, granting permissions and privileges to malicious apps etc., even as systematic mitigants are contemplated.

Bibliography

Ablon, L., & Libicki, M. (2015). Hacker’s bazaar: The markets for cybercrime tools and stolen data. Defense Couse;l Journal, 82, 143. Retrieved from https://heinonline.org/HOL/LandingPage?handle=hein.journals/defcon82&div=17&id=&page=

Anthony, A. (2023, 03 13). Carnegie Endowment for Internaltional Peace. Retrieved from https://carnegieendowment.org/2023/03/13/cyber-resilience-must-focus-on-marginalized-individuals-not-just-institutions-pub-89254

Blackmon, W., Mazer, R., & Warren, S. (2021, March). Nigeria Consumer Protection in Digital Finance Survey. doi:https://doi.org/10.7910/DVN/USMYWW

Center for Internet Security. (n.d.). Malvertising. Retrieved from cisecurity.org/insights/blog: https://www.cisecurity.org/insights/blog/malvertising

Cisco. (n.d.). What is malware? Retrieved April 5, 2023, from https://www.cisco.com/site/us/en/products/security/what-is-malware.html#title-6af94cb24a

Cybereason Nocturnus. (2020). EventBot: A New Mobile Banking Trojan is Born. Retrieved from https://www.cybereason.com/blog/research/eventbot-a-new-mobile-banking-trojan-is-born#threat-analysis

Google. (2019). Android Security & Privacy: 2018 Year In Review. Retrieved from https://source.android.com/docs/security/overview/reports/Google_Android_Security_2018_Report_Final.pdf

Google. (2019). Android Security & Privacy: 2018 Year In Review.

HP Wolf Security. (2022). The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back. Retrieved from https://threatresearch.ext.hp.com/wp-content/uploads/2022/07/HP-Wolf-Security-Evolution-of-Cybercrime-Report.pdf

IBM Security Trusteer. (2019). Android Malware ‘Ginp’ Targets Mobile Banking in Spain. Retrieved from https://community.ibm.com/community/user/security/blogs/limor-kessem1/2019/12/03/android-malware-ginp-targets-mobile-banking-spain

Ilascu, I. (2023, January 17). Hackers push malware via Google search ads for VLC, 7-Zip, CCleaner. Retrieved from https://www.bleepingcomputer.com/news/security/hackers-push-malware-via-google-search-ads-for-vlc-7-zip-ccleaner/

Investopedia. (2022). Banker Trojan. Retrieved from https://www.investopedia.com/terms/b/banker-trojan.asp#:~:text=A%20banker%20Trojan%20is%20a%20piece%20of%20malware%20that%20attempts,client%20data%20to%20the%20attacker.

Kryptowire. (2022). Kryptowire Identifies Security and Privacy Vulnerability in Mobile Device Chipset from China. Retrieved from https://www.prnewswire.com/news-releases/kryptowire-identifies-security-and-privacy-vulnerability-in-mobile-device-chipset-from-china-301502349.html

Kumar, R. (2020, September 05). Security Analysis of Unified Payments Interface and Payment Apps in India – Paper presentation. Retrieved from https://www.youtube.com/watch?v=yxNWMYXv_TU

Kumar, R., Kishore, S., Lu, H., & Prakash, A. (2020). Security Analysis of Unified Payments Interface and Payment Apps in India. 29th USENIX Security Symposium (USENIX Security 20), (pp. 1499-1516). Retrieved from https://www.usenix.org/system/files/sec20summer_kumar_prepub.pdf

McAfee. (2020). McAfee Mobile Threat Report Q1, 2020. Retrieved from https://www.mcafee.com/content/dam/consumer/en-us/docs/2020-Mobile-Threat-Report.pdf

Mint. (2022). Cyber Fraud Retired Teacher Loses Rs-21 Lakh After Clicking On A Whatsapp Link. Retrieved from https://www.livemint.com/news/india/cyber-fraud-retired-teacher-loses-rs-21-lakh-after-clicking-on-a-whatsapp-link-11661125424653.html

Mohan, C., Datta, S., Venkatanarayanan, A., & Rizvi, K. (2022). TACKLING RETAIL FINANCIAL CYBER CRIMES IN INDIA . Retrieved from https://deepstrat.in/wp-content/uploads/2022/05/Tackling-Retail-Financial-Cyber-Crimes-In-India-Deepstrat13.05.2022-1.pdf

Morrison, S. (2020). “Privacy shouldn’t be a luxury”: Advocates want Google to do more to secure cheap Android phones. Vox. Retrieved from https://www.vox.com/recode/2020/1/17/21069417/privacy-international-bloatware-android-google

National Payments Corporation of India. (2016). India’s Unified Payment Gateway for Real-Time Payment Transactions. Retrieved from https://www.npci.org.in/PDF/npci/upi/Product-Booklet.pdf

National Payments Corporation of India. (n.d.). Unified Payments Interface (UPI). Retrieved April 5, 2023, from https://www.npci.org.in/what-we-do/upi/product-overview

NortonLifeLock. (2021, July). Norton. Retrieved from https://us.norton.com/blog/emerging-threats/what-is-social-engineering

Pan, J. (1999). Software Testing. Dependable Embedded Systems.

Privacy International. (2020). An open letter to Google. Retrieved from https://www.vox.com/recode/2020/1/17/21069417/privacy-international-bloatware-android-google

Proof Point. (n.d.). Wayward Wi-Fi How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk. Retrieved from https://www.proofpoint.com/sites/default/files/pfpt-us-ebook-wayward-wifi.pdf

Rajya Sabha. (2023, March 21). UNSTARRED QUESTION NO. 2296: UPI Frauds. Retrieved from https://rajyasabha.nic.in/Questions/MinistryWiseSearch

Reserve Bank of India. (2022). Be(a)ware: A Booklet on Modus Operandi of Financial Fraudsters. Retrieved from https://rbidocs.rbi.org.in/rdocs/content/pdfs/BEAWARE07032022.pdf

Statista. (2021). Average selling price of smartphones in India from 2010 to 2021. Retrieved from https://www.statista.com/statistics/809351/india-smartphone-average-selling-price/

Statista. (2021). Market share of mobile operating systems in India from 2012 to 2021. Retrieved from https://www.statista.com/statistics/262157/market-share-held-by-mobile-operating-systems-in-india/

The Economic Times. (2019). New form of OTP theft on rise, many techies victims. Retrieved from https://economictimes.indiatimes.com/news/politics-and-nation/new-form-of-otp-theft-on-rise-many-techies-victims/articleshow/67521098.cms

The Economic Times. (2020, June 1). Hackers claim to have found vulnerability in BHIM app; NPCI denies data compromise. Retrieved from https://ciso.economictimes.indiatimes.com/news/hackers-claim-to-have-found-vulnerability-in-bhim-app-npci-denies-any-data-compromise/76137226

The Times Of India. (2020). Person loses Rs 1.5 lakh after clicking on web link. Retrieved from https://timesofindia.indiatimes.com/city/mangaluru/person-loses-rs-1-5-lakh-after-clicking-on-web-link/articleshow/79328294.cms

Threat Fabric. (2020). BlackRock – the Trojan that wanted to get them all. Retrieved from https://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html#how-it-works

Threat Post. (2016). Android Ransomware Attacks Using Towelroot, Hacking Team Exploits. Retrieved from https://threatpost.com/android-ransomware-attacks-using-towelroot-hacking-team-exploits/117655/

Times of India. (2023). 95,000-plus UPI-related fraud cases reported last year: Fina .. Retrieved from https://timesofindia.indiatimes.com/gadgets-news/95000-plus-upi-related-fraud-cases-reported-last-year-finance-ministry/articleshow/98975930.cms

[1] The author is a Policy Analyst with Dvara Research. The author would like to sincerely thank Beni Chugh and Lakshay Narang for their valuable input and rigorous review.

[2] 85 respondents from Mumbai, Delhi, Kolhapur and Unnao

[3] Social Engineering is the manipulation of someone to divulge confidential information that can be used for fraudulent purposes. Unlike cyberattacks that rely on security vulnerabilities to gain access to unauthorized devices or networks, social engineering techniques target human vulnerabilities (NortonLifeLock, 2021).

[4] A combination of the mobile number linked to the user’s bank account and the IMEI number of the user’s device.

[5] Link to tweet –  https://twitter.com/dushyantgadewal/status/1369876267336527873

Cite this blog:

APA

R, S. (2023). The Use of Malware in UPI related Fraud. Retrieved from Dvara Research.

MLA

R, Shreya. “The Use of Malware in UPI related Fraud.” 2023. Dvara Research.

Chicago

R, Shreya. 2023. “The Use of Malware in UPI related Fraud.” Dvara Research.



Previous article
Why Risk Makes You Wealthy
Next article
What To Do After You File Your Taxes?
sc4uqte8559
sc4uqte8559https://www.your-insurance-services.com

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

Load more

About Us

your-insurance-services is your insurance, money making and insurance law website. We provide you with the latest breaking news and videos straight from the insurance industry.

Copyright 2023 © your-insurance-services.com. All rights reserved