Be careful the next time you sign in to your bank account on your smartphone.
The FBI has discovered new malware that is being used to steal login credentials from mobile banking apps, the Wall Street Journal reports, and has no idea how many people have been hacked in this way.
Hackers are able to get this malware onto smartphones by infecting websites or tricking people into installing it themselves with a malicious text or email. Once it’s on a device it waits for a banking app to be launched, uses an overlay that looks like the legitimate app to steal info, then sends the credentials to others.
Malware has been used for hacks like this since at least 2013. The difference now is that there are more variations of this malware than ever, and at the same time, more banks have released apps that allow people to interact with their accounts on the go.
The good news is that this kind of malware can cost up to $15,000 so most hackers won’t be able to afford it. The bad news is that it can be modified to request other information, such as a Social Security number, which can be used to access other sensitive accounts that have nothing to do with the banking app.
Some banks plan to fight schemes like this by relying on biometric security. Many have incorporated Apple’s Touch ID into their apps, for example. Wells Fargo plans to take it a step further by scanning its customers’ retinas if they try to access highly valuable bank accounts.
Biometric security can reduce these kinds of hacks because nothing is sent to whoever is running the malware. But it can also make people more vulnerable if someone gains physical access to their device. So what are people supposed to do if they don’t want to put their bank accounts at risk?
Well, at this point the best solution is probably to just avoid banking apps. Barring that, avoiding sketchy links and making sure there’s no malware on the device by using antivirus software or only installing software from trusted sources like the Play Store are going to be the best defenses.