One of the things that we do at Easy Solutions, to help protect banks from fraud, is perform passive monitoring on paste sites, social media sites, and the black market. We see all kinds of crazy things and we wanted to share this example. In the case below, we found what appeared to be source code for one of our client's mobile banking apps. We pay attention to this kind of thing because evidence of publication of source code can lead directly to increased attacks-especially as they relate to mobile apps.
Image 1 - An attacker publishes the source code for a banking application
The process for obtaining the code is fairly simple, using tools such as dex2jar and APK Multi-tool. The dex2jar tool reverse-engineers the APK and returns the application’s source code. Using APK Multi-tool provides all the applications resources and configuration settings.
Image 2 - View of the code obtained after using dex2jar
Image 3 - APK multi-tool debugs the app and returns all the resources.
The threat vector that we are looking for is a surge in fake mobile banking apps that are recompiled to include special functionality to record login credentials, and present additional challenges to the user for additional information like SSNs, DOB, PIN numbers, etc. These applications are frequently found in one of hundreds of Android app stores on the Internet. It is important to keep an eye out for precursor activity like this that might lead to direct attacks against customers down the road.