A View Into Web(View) Attacks in Android


James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog.


Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials.


In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets Android and is replacing the classic overlay M.O. (Modus Operandi). These new attacks use the good-old web attack tactics with adjustments made for Android. IBM Trusteer has dubbed these attack tactics Mobile Web(View) attacks because the attack vector is the Android WebView component, and not the browser application (for reasons that will be explained in the following sections).


In this blog, two extremely effective attack techniques are discussed: Web(View) injection attack (based on web injects in the browser) and mobile cookie stealing.


What is a Web Injection Attack?


A web injection attack is a technique used by malware to exfiltrate and manipulate the content of a website from the client side as it is being presented by the browser. During a web injection attack, the malware injects HTML or JavaScript code into the website by running code in the scope of the web browser process that is installed on the victim’s device.


In a web injection attack, what the victim sees in the browser might be different from what is intended by the web server. In addition, every private detail entered by the victim on the website is exposed to the malware.


Fo ..

Support the originator by clicking the read the rest link below.