Virtualization-based Penetration Testing Study for Detecting Accessibility Abuse Vulnerabilities in Banking Apps in East and Southeast Asia
Wei Minn, Phong Phan, Vikas K. Malviya, Benjamin Adolphi, Yan Naing Tun, Henning Benzon Treichl, Albert Ching, Lwin Khin Shar, David Lo
TL;DR
The paper investigates FjordPhantom, a virtualization-based accessibility abuse malware targeting Android banking apps in East and Southeast Asia. It develops an automated penetration-testing pipeline to evaluate 83 banking apps across seven countries, combining static protection analysis and a controlled repackaging attack to test vulnerability. The results reveal that about 43% of apps are vulnerable, potentially affecting roughly 225 million Android users, with uneven effectiveness of existing hardening measures (notably anti-VM and anti-disassembly) and limited adoption of RASP solutions. The authors advocate integrating Promon SHIELD into CI/CD pipelines and discuss Google Play Protect limitations, offering practical guidance for strengthening mobile banking security against virtualization-based threats.
Abstract
Android banking applications have revolutionized financial management by allowing users to perform various financial activities through mobile devices. However, this convenience has attracted cybercriminals who exploit security vulnerabilities to access sensitive financial data. FjordPhantom, a malware identified by our industry collaborator, uses virtualization and hooking to bypass the detection of malicious accessibility services, allowing it to conduct keylogging, screen scraping, and unauthorized data access. This malware primarily affects banking and finance apps across East and Southeast Asia region where our industry partner's clients are primarily based in. It requires users to be deceived into installing a secondary malicious component and activating a malicious accessibility service. In our study, we conducted an empirical study on the susceptibility of banking apps in the region to FjordPhantom, analyzed the effectiveness of protective measures currently implemented in those apps, and discussed ways to detect and prevent such attacks by identifying and mitigating the vulnerabilities exploited by this malware.
