From Impersonation to Exploitation: A Look at Mobile Malware Campaigns

Hi, good morning. Is that good? How's it? Yeah. So, today um presenting our talk today from impersonation to flotation, a look at mobile malware campaigns. Um basically focusing globally and just showing how it actually relates back to South Africa. Yeah, this basically about us. It's a nice intro. Uh yeah so yeah I'm Dr. Robboto. I've been around basically come from a background of research. Spent about 10 years in financials institutes looking at malware tracking um basically threat intelligence and yeah tracking bad guys. That's it. I'm Brenshaw. Um I actually come from an audio background but have taken a long and winding road to finding myself in security. um uh have covered a bit of industrial control systems um but

are mostly focused on security research. Cool. In our day jobs, we work um for NetBank on the cyber security research team. We are primarily focused on research and development, looking at new technologies, implementing new stuff. The mic is cutting in and out. Um I will try to stay close. Hello. Cool. So we also focus on security automation. We run a saw platform. We try and automate things to make things quicker, easier, better for the bank. And along the way we also work on breaking ATMs pause devices and so on.

Over the over the last few years, we've seen some pretty staggering hello pretty staggering stats in terms of mobile malware. The increases have been phenomenal. Depending where you go for these stats, um different security providers and AV guys have got wild stats. Some of them reporting up to 200% increase in mobile malware from 2024 to 2025. lots and lots and lots of malware. It's actually quite ridiculous because it's something you almost don't hear of. Um, at least for the most part. I don't know too many people that do unless they're installing funky games and all the stuff you see on YouTube ads. In terms of real world losses, uh, in 20 in 2025, it was predicted that cyber

crime would cost us $10 trillion, which is like a crazy number. Um, but of that, it was predicted 6 billion would actually come from mobile mail. 6 billion in losses. And that's that's a lot to take in. Um, especially for something that a lot of people don't think of. When you think of $10 trillion, you're thinking of companies losing this. when you're thinking of mobile malware and when we're talking about it, we're talking about you losing it. Okay? These are not companies losing money with mobile malware. These are people and that's something to keep in mind throughout this talk. Now, in terms of our customers, they're always at risk. When I say customers, I'm talking about not just the bank,

anyone that's in a company that caters to people. Whether you're on a shopping platform, a bank, anything, you have customers and they're vulnerable. whether it's fishing, smishing, vishing, any of the ishings, um they're getting hammered non-stop. We've seen massive campaigns run this whole year, previous years, but it's ramping up. Sim swaps are out of hand. Like the simple truth is it's not you initiating SIM swaps in some cases, it's the bad guys. And for customers, this is terrifying because if you lose these days, your cell phone is kind of everything. you know, to your one-time pins to verification codes, all these things that now phone you and verify things via voice. Yeah, that doesn't make it safer if your SIM card

is stolen. And all of this is to enable account takeovers. And that's kind of terrifying. So, what's driving this? Well, the simple truth is money. Okay? And in terms of money, we know that obviously profits for fraudsters is what they're after. But what's driving the the crazy ramp up is social engineering, the silly AI thing. Um that's just enabling people to churn out scams left, right, and center. And along with that technical sophistication where it used to take a ton of skill to develop some of these mobile malares, now not so much. Yeah, with AI developed tools, it's so much easier to manipulate things, so much easier to run these scams and to iterate. So why do we care? Yeah, the simple

truth is this isn't going away. Yeah, people are hurting. People are losing money. And that's not just one company's problem. And that's just not one person's problem. This is something we should all be worried about. Yeah. Norton saw 1.2 million blocked mailware attempts for mobile in 2024. In 2025, that was 33 million. When I say the increases are crazy, they're crazy. Something to note, anytime you see a little QR code on the slides, um I'm hoping it's big enough. You can just scan it and that'll take you through to any research we think you might find interesting. So yeah, it's not fishing. [laughter] It's not malware. Uh it shouldn't be unless the researchers were directing to

you are bad. But realistically this massive increase that's good for business, not our business, but for fraudsters. What we've seen you want to take this? >> Sure. >> Yeah. >> Yeah. So what we've seen in the in the mobile malware space is basically these are the targeted regions that um align to South Africa as well as you can see like um point the South African regions. Okay, cool. We we most likely there's a high um probability that um we actually link with the Southeast Asian um markets. I think um most of the mal mobile malware that's coming into South Africa, it's hitting South Africa originates from Southeast Asia. I think um there's lots of similarities in the

market and how the the the adoption rate of mobile um banking and mobile applications in South Africa actually relates to Southeast Asia. I think um we actually became a nice and easy target for these guys and yeah I think um there's some overlaps as we see it going through our research that um this actually ties back to Latin America as well and um based on our research where we actually can see that um these are emerging countries countries that actually use um technology quite rapidly and like to basically use their phone on the go and basically do all the activities on on their mobile devices. I think um like Brent mentioned it's everything lives on

your device these days and you might I think you guys it's clearly can see from the map it's it's a very inverted approach to the rest of the world where the Americas and the Europe European countries are not being targeted with these type of attacks. So I think yeah as we go deeper into this um presentation you guys will get a bit of understanding of why these attacks are actually just of how South Africa or how we actually align up to these attacks.

Now something we've seen along with this is technical evolution. Yeah. In the past, you had one or two malware families that dominated, one or two strains that were just iterated upon and improved over time, over a long time. We're seeing that ramp up. New families, Gold Digger, Spy Note, Gagabud, they've all been around for a while, but we're seeing fast iteration on them. We're seeing them change. We're seeing the fraudsters update them sometimes almost daily and we're seeing them rework them, improve them, and build strategies in that we have to defend against. Again, that's everyone has to defend against. Now, something that if you've ever done a little bit of malware research, sometimes might drive you crazy is that

all kinds of companies cannot settle on a name for something. uh whether it's thread actors, whether it's malware strains, whatever it is, it's sometimes a bit tricky. You'll find a research paper that says this is Geiger Bud malware and the next research paper talks about what appears to be the exact same thing and cause a gold digger. This can be quite annoying. Um so we put together a little family tree showing you just how confusing it actually is. You're not wrong. Uh it is confusing. So um these are things we'd like to make available in a repository afterwards for anyone who's interested. But basically just some tools for exploration that allow you to go see how

things relate, naming aliases, the way different vendors name things and our mailware families. Hopefully this will help people get a better idea of how these things actually link together. And you know knowledge is power. Cool. Yeah, I think um as Brent mentioned earlier, the stats are just it's insane numbers. As you can see, there's quite a [ __ ] ton of malware attacks per hour that you see in South Africa. And I think um most of the stuff that enters the news is basically you'll see your swim swap. I think that's a very common one. Uh your brand impersonation and we've seen a rise in the AIdriven scams. I think um yes uh that's quite a

challenging especially now that you can basically build sites with a with a few prompts a few few promps of the AI and you off you go you have a fishing site you have a whole infrastructure so yeah it's been quite challenging for us um as technology evolves we can we actually seeing that um the ramp up has been exponential so yeah ramp so what can these mways do this is where it starts to get real interesting. Yeah, they have crazy capabilities. Okay, anything from putting overlays on your screen so that you're not clicking what you think you're clicking, uh reading your screen, key logging, capture, sometimes in the form of pictures, sometimes actually streaming. They're actually streaming your current

state off somewhere to a scammer. Whether that's a person looking at it, whether they got a bot, that's sometimes up for debate. But the capabilities of these things improve all the time. And they do this realistically to automate clicks, navigate your device. Yeah. Once you're fully infected, they can do quite a lot. Yeah. Yeah. They can intercept calls, SMSs, push notifications. They can build designer strategies to target things you have on your phone because they got access to your phone. They know what's there. They simply go back, design a strategy on how to take money from it. Yeah. And in these cases, you'll see, you know, you think, oh, if money goes out my account, I'll see that, right?

Cuz the bank's going to send me an SMS. Not when the mail deletes it. Okay. That's really not great. Push notifications. They can clear them. Yeah. These things are sophisticated and they can do a lot more than most people think. On top of that, they're fighting against us, the researchers, with packers, with obfiscation, with anti-analysis tooling. Yeah, they actually build their own freed hooks in to stop you reverse engineering these things. In some cases, they have some very skilled self-defense strategies to tell if they're virtualized, to tell what people are actually trying to do in order to get more information out of them. Luckily, some very smart researchers um have pulled these things apart. We've

pulled it apart. I can't take credit for all of this. Um, we got a lot of this from other researchers across the board. A lot of it's out there and you can go read it yourself. But basically, they use quite a complicated thing where they actually pack these and the raw um APK doesn't actually often have the malicious code in its dex file, the actual delvic code. instead. Sometimes it's hidden in a shared library, much harder to find, fully obiscated, and yeah, they're not making it easy. On top of that, re-encrypting, changing this up, and improving on their mailway with high frequency makes it even harder. Even though you think you figured the one out, they change it.

So, why are we telling you this? Obviously, to scare you. Um, because you know, you should be scared. They're coming for you. You might think you are immune. Yeah. As we've seen, people aren't. Yeah. People like to go for these things. People like to click links. And I mean, we've just witnessed a bunch of people scanning QR codes. Not our QR codes. I'm talking about besides ones on the wall. Um, our QR codes are safe. I can't speak for the others. But always be wary. So, a question that often comes up as soon as you start talking about Android malware is people just go buy an iPhone. And like, you know, that's the simple answer. Just go buy an iPhone. Yeah.

Not all the time. Yeah. There is iPhone malware out there. Let's be honest, there's a lot less of it than Android. But globally, especially if you look at the countries that we showed earlier, what we're really comparing to, iPhone doesn't feature as much. In this particular case, a lot of countries are sitting at like 80 85% Android saturation. Yeah, that South Africa up at 85%. Yeah. Now, what does that mean? If you're writing malware to target South Africans, you're not going to pick iOS. Yeah, it's that simple. Uh you could pick iOS. It's a little bit harder, but it's a much smaller target area. Yeah, so people are going for the easy lowhanging fruit, the mass populace. iOS

does get targeted. Um there are some very nicely documented malares for iOS. But a big thing with iOS and things that have been changing over the last few years. Obviously, jailbreaking iOS has got considerably harder. Yeah, this does slow things down a little bit. Doesn't solve it entirely. Yeah. If you're financially motivated, eventually you'll get there. Yeah. But we're not talking about iOS today and I'll be honest, it's not my specialtity. So, let's have a look at a case study. >> Yeah. So I think um we'll just take you guys through um the approach that we've gone through and actually not just analyzing but actually profiling these threat actors and seeing how we can link

them together and just just seeing how we can actually defend against them. So yeah, we'll take you through a few scenarios from start to end. Yeah. So I think um where did this all start? I think this started about um last year 2024 in about June around we got this um mass um call that um there's this DSTV malware going around and what are the banks doing about it and it was very interesting that uh nobody asked DSTV what they doing about it because they're not targeting DSTV is made basically just a mechanism to get to the banking app which is quite interesting so yeah and so we actually looked at this malware it was first of the kind we

saw in South Africa. It was a new just something new, totally different. And when we looked into this malware, it had proper basically um protection inc and obiscation. This was you could actually see or notice basically from the the the obiscation and the protection that it was like um proper threat actor. You weren't dealing with some guy sitting in his basement coming after you. This was properly financially motivated. And as you can as we'll go through this, you'll see the journey of how this malware actually adapts and adopted to actually our defense strategies as well. Thank you. Yeah. Cool. So when we started looking into this, what we did find was obviously this was not new. Yeah. these malware

strains uh specifically uh what we'd identified as Gaga bud and linked to gold digger they went back further all the way back to June 2023 some of the first reports of them coming out okay but as you can see and I'll just zoom out to make it a bit more obvious those reports picked up okay and they picked up in a big way they expanded this campaign rapidly not just targeting South Africa targeting Southeast Asia targeting Brazil and South America. And we saw a massive ramp in this malware. Along with it, obviously a massive ramp up in people trying to do research on it. Oh no, it froze. That's technical difficulties. Apologies.

Sorry, we're testing a new way of doing presentations. Uh, and they are [clears throat] we're learning. >> Yeah. Uh, as Bin said, we're learning. We asked our stupid AI to build this presentation for us, so [laughter] forgive the crazy bugs. So yeah, we'll just um uh talk you about the delivery mechanisms. How how do you actually get your victim or how do you get people installing malware for you? And yeah, so basically um how do you lure your target? How do you get your victim? One the most prominent ones we've been seeing is um basically um Facebook ads, WhatsApp ads saying, "Hey, we got free stuff for you. Are you interested?" And most of this free stuff that we look

into is actually streaming services. I mean there's a big demand in South Africa for free streaming services. How many guys want to just watch free DSTV? And that was the one of the interesting hooks that um these guy these thread actors actually focused on is that um they know the market. They knew the South African market is susceptible to basically free [ __ ] And we are actually [laughter] myself I like free stuff too. So yeah, I think um South Africa has this great mentality of if it's free, if it's cheap, I'll circumvent control for you. So that's quite a very interesting. So yeah, so basically they'll the threat actors will basically lure you into

saying free streaming services, free Netflix, um discounted flights, 90% of flights and these adverts actually pops up in Google searches as well and in Facebook and in basically all your social media, they actually have a campaign running of free ads to actually lure the victims. So yeah, this is just some generated content. [snorts] And yeah, this is just an example of basically, as you can see, this is just a a free ad here saying, hey, some if you if you hurry right now, you'll get actually a nice discount on your flights. And and usually the user will be like, oh, wow, cool. Some free or discounted flights. I'll just click here. And this is the entry point. Um,

we kind of kept the Facebooking profiling out of this because Facebook can be crazy sometimes. So yeah, basically they'll present the user with such a basically info or bio saying by the way these are free flights, these are free streaming services and they'll actually put their contact details in in this um basically viewer web form and then the user will actually go out of their way to contact the fraudster. Believe it or not, if you're offering free flights or free streaming service, the user the user actually phones or contacts people via WhatsApp or any other social media means and then they actually get into contact the fraudsters get into contact with the users and they

have a conversation with them over WhatsApp telling them by the way click on this link or here's a direct APK and you guys might be thinking come on man you can't be serious right but seriously when it comes to free stuff Africans are very susceptible to actually doing this. So yeah, as I mentioned basically and once they actually give you these um um malicious URLs or links um you can see they actually mimic some some of the play store capabilities and we'll just go through a few examples. Is that right? >> Yeah. But basically Yeah. So basically they'll actually con you into going to a few websites and in this website they'll actually be download links to the APK

the APK or the Android application they con the user into actually installing it and then basically some of the applications that we looked into that's um these are the certain capabilities I think um like Bren said there's different families there spyware bank Trojans adear but what if there's a allin-one one OP app that can just do everything for you from a from a threat actor perspective Ed and that's where they've actually gone to instead of just doing these singular apps that can do different things, they actually made one powered app that can actually just do everything for you. And the great thing about this is the user or the victim is doing the hard work for the for the

threat actors. So [snorts] yeah, as we mentioned, basically this is how the how they contact the victims, how they get in interact with the victim. Um there's a QR code at the bottom. I think if you guys scan this, it will actually take you to the Devi show. I think there was a nice um actually article or presentations. I think um Orange Cyber Defense was involved and that's actually um show live victims or real victims explaining their journey of how they got targeted via these threat actors, how the threat actors contacted them and guide them step by step of how to install the malware, how to get the malware operational. So if you are interested, you can scan that. I think

it's a a nice um view of how susceptible people are to this >> mil.

Yeah. So you guys are like how does this actually work? So once the application gets installed on the phone, it can't really do anything. They've designed it in a way that once you install it, it doesn't do anything because this is a nice way to um circumvent circumvent control, circumvent um um basically defense organizations detecting this, especially Google cuz I mean if there's certain applications on your phone, Google actually does scan for this. So if the app in its current state is doing nothing, there's nothing to see for. But what is incredible is they actually get the user to to enable accessibility settings. They actually get the user to disable some security controls. And you're like, "Wow, [laughter] this is so

cool, right? The actual user is taking their own device and just disabling all the security features because free, right? We like our free stuff." So yeah, it's some quite um interesting stuff here. And then from a a threat actor's point of view, they have full control of your device. They just have overlays running in the background. To the user, you'd think it's basically your app is stuck, your app is bugged, I can't do anything. Meanwhile, in the background, there's a full malware running, intercepting everything that's going on your phone, and they actually are able to run programs, uh, applications in the background. So you might see a specific screen, but they actually started up your banking app and in the background

[clears throat] they're actually logging in and prompting you to do your authentication and you none the wiser you actually just giving your funds away. [snorts] So yeah as as I mentioned they'll actually this is the app um they'll give actually a what do you call this a message and just pause it. Yeah, I think you close it.

Yeah. So, basically this is how the app they'll actually get the user to install the app. The app will say, "Hey, something is wrong. Something's gone wrong." Then the frosters will actually call them and contact them and say, "Oh, we've noticed something's gone wrong with your app. Let us help you fix the app. We want to get you this discount." And while they're actually on this journey, they'll convince the user to actually go through your Android settings and disable a few um security features. And this um um screenshot over here, this is your accessibility features. As you can see, it literally says you're giving your permission over to the app to do everything. Uh so it's

like in this moment, the user or the victim, they don't even read. They just like allow allow allow. I'm getting free stuff. And it's very very interesting and common that if they just took 5 seconds to just look at this screen, it's like if I enable this, all my permissions is gone. I've just given my phone over. So yeah, this is like how they get the user to actually um enable the malware or once this is actually allowed, then the app actually transform into a full um malicious state which actually talks back to the threat actors. Yeah. And this is just um example of how do you actually enable it. As you can see, it's quite a lot to do. It's a it's

effort. So imagine you have to go through all this effort just to enable or bypass your own device security settings. As you can see, um you first need to find the accessibility settings, find the app. It actually tells you this is restricted. Please don't do this. And you have to go through these extra loopholes just to bypass your own device. [clears throat] You can see we're just um allowing some restricted settings. It should come back. And now you can see I've now the this is all from the user perspective. They've now basically going back to accessibility and say oh we see this app please. And that and the screenshot comes up again saying by the way if you

do this you're kind of screwed and but the users don't care. We just continue going on and at this stage your device is now owned. And it's that quite simple is that you install the APK, you you enable accessibility options and you've been owned. So it's quite easy from a set actor perspective that under the guise of free or discounted um deals, South Africans are very susceptible to actually going through with this campaign. So the crazy stuff, if that wasn't crazy enough, is what happens next. Now something spoke about something he showed there is that long process of enabling all those accessibility settings. Now something important to kind of note here is [snorts] that is

sort of a key here. If they don't have the accessibility settings they can do a lot less. Yeah. That doesn't mean they can't do anything but that's uh quite a lynch pin in this entire thing. As soon as they move on to exploitation, they can get onto your device, start harvesting credentials, and begin their remote access. Now, just for you here, I'll have to zoom in a little bit. Yeah, we have a dramatic reenactment of what happens. Yeah, this is just a little Android app. Here we go. And we log in. Basically what happens as we're logging in Mway starts actually capturing everything we're doing starts capturing and we might be doing our normal transactions but it's watching it's

harvesting that information and as soon as we stop using our phone off it goes okay it logs in it starts making transactions again not a problem I'll know about it cuz they'll tell me I'll have those pop-up notifications I'll have SMSs not when they get deleted yeah the malware can take control of that it's got access to messages, phone calls, pop-up notifications, anything. And it can not only suppress them so that you can't see what's going on, but it can go and delete that evidence. Yeah. Giving you a lot less chance to realize that you've even been attacked. Yeah. And they'll kind of do this either until they get caught or I guess until you run out of money. Okay. Really

hoping it's not the latter. Um but off they go and they start taking your money. This uh is a tool we would like to provide and uh unfortunately the demo is not working. Um I'm not sure why. Um basically we built a tool for mapping out various malware capabilities and comparing them against the various permissions actually required. This is a staggering number of permissions. they it's you know 20 30 permissions you need to enable per device to actually get this type of stuff and that's an important thing when you're also trying to decide do I think this app is malicious or do I just not like this app when you install a calculator says it

needs access to your photos uh there should be questions um and people laugh but this happens all the time you install a little word game why does it have access to your phone calls yeah people install these things all the time. Yeah, in a lot of cases, they're harvesting information, but they're not outright malicious. With these, we're talking excessive permissions, massive lists. So, something to look out for and something to be on the watch for, but we will make a point of releasing this um posting on Bides's uh Twitter X, whatever it's called now. Um and making it available. Cool. Cool. So what is the impact? Okay, compromised banking credentials. Obviously that's a massive one. Okay, we

if if they've got your banking credentials, they can start logging in. Now in some cases they can't OTPs, uh two-factor authentication, all kinds of things. They can control your phone. They'll do all kinds of things. They'll uh bypass biometrics by forcing it back to passwords, forcing it back to OTP. Okay, they have once this malware is on the phone, it's in control and all those things you thought were protecting you are not. They're hurting you. Again, just um further further to the impact um what we've also noticed or saw that um Brenton mentioned that in some cases they disabled your biometrics. In other in other few samples we've noticed they've let the biometrics on. They

actually capture your biometrics. So they have your fingerprint and they have your face and they're actually able to use your data to open fraudulent accounts as well. So we've noticed that the malware is actually adapting to actually use the biometrics as a another pivot point to actually defraud you as well. >> Cool. Again, these are the impacted countries. Just again to put it on screen, let you have a let you get an idea. We are not seeing the level of attack here that for instance Southeast Asia is seeing. They are seeing so much more than us. But a big big thing with Southeast Asia, they are a mobile first banking country. Almost like 95% of the

population only banks on their phone. And that's a big thing. South Africa is very similar. A lot of people are not doing banking via a browser anymore. Their only banking app is on their phone. They're not going into the branch. They're not interacting with a ATM or kiosk. A lot of them are just using the phone. So while this works well, high mobile usage, we're really trusting when it comes to social platforms. We climb onto them so fast it's kind of ridiculous. And [clears throat] being a country that is 85% to most in the Android ecosystem, we're familiar with APKs and in some cases sideloading them for all kinds of various reasons. Okay. Um, and cost pressure. Okay. This

is a big one. Everyone's everyone wants to save a buck. Yeah. Cheaper flights, free streaming. These are things that are hooking people because these are things people actually want. So, what can we do? Yeah. Some defensive strategies, inapp hardening, behavior analytics, thread intel sharing. These are things that obviously app owners can do. They can try to look at how apps are interacting on the same device that their app has installed and [snorts] they can take action. Yeah, Google provides integrity APIs and some functions that do enable you to possibly defend your app against malicious activity. But your app, that's the key. That is not protecting the user per se, just your app. Uh, obviously if things are left to run

on the device, Google eventually takes note. If the frauds just can't get you turn to turn off play protect quick enough, Google will actually flag it and will eventually flag that APK and start noticing it on other devices and telling you it's malicious. So, there is a little bit of protection there, but it's not a lot. Yeah. It takes quite a while for Google to scan. >> Yeah, like BR, it takes quite a while and it's not consistent. We've noticed it takes between 30 to 30 days to 90 days between before they actually notice that these applications are on user on user devices and actually once they so it's not instant. It's not like this oh

well Google will protect me. It doesn't eventually gets there but it it doesn't protect you instantly. So yeah this is one of the malware capabilities to actually disable these checks as well. Now the biggest kind of strategy we can have here from a everyone perspective is obviously user education and awareness campaigns and encouraging people to use the proper apps from the proper stores. It's a big one. Yeah. And again that comes down to any app owner. That's not just the banks. That's not just the financial institutions. Everyone you know whether it's take a lot another targeted or brand impersonation take a lot whether it's DSTV. They should be telling people don't install apps from funky places. Yeah.

Now, as much as this is appealing and as much as you know people want the cheap stuff, we got to start educating them somewhere. Industry collaboration will go a long way. Preventing SIM swaps, fraud uh fraud prevention, maybe throw SMS in the bin, you know, um not a bad idea. Yeah. But these are long off. These are not things we can do overnight. These are not things that the audience can do necessarily. Yeah. And obviously regulatory compliance, possibly even slower. So some takeaways, they're they're targeting mobile first people, people that are primarily sitting on their phones and primarily via social vectors. What can we do? We can collaborate. And that's where you come in. Yeah. It's the

people around you. to the people in your lives that you can educate about these sorts of things that you can warn when you see people going for these free apps, going for free streaming platforms. Yeah, try educate them. Yeah, it's the little bit you can do. Sure, you might not be in control of banking apps or Luno or whatever. Okay, but you can teach people maybe not to go install a Luno from a funky site. Okay. And then teach people about red flags. You want to take this? Yeah. Sure. Yeah. I think like there's just certain red flags or checklist that you can actually tell people like Brent mentioned if something's coming not from official play store, official

distribution, just don't do it. No matter how appealing or free it is, just don't do it. And yeah, I think um anything that's coming from social media that's even more I think it feels appealing but and attractive at the same time, but it's like please don't click this link. I think it's like Bren mentioned it's a very we need to educate the people around us. I think um the social circles need to be expanded and the information needs to go further. Um me I think most of the audience knows here like don't click stuff, don't install stuff. Again the audience in in the room here is like are they really doing that? And it's yes

they're really doing that. So yeah, I think um we need to actually just reach out further and actually educate the people because like Bren said, we can harden our app to the ground, but we're just securing ourselves. And I think we don't want to just secure ourselves. We want to actually secure everyone. And I think that's what our message here today is that um we're making everyone aware that by the way this is happening. Even though it's not really reported or seen in social on social media, in the news, this is real and this is happening. people are losing the the actual real money in in these scenarios and yeah I think we actually don't want to see that

get worse because we we based on what we've seen in South Asia things are just going to ramp up and yeah we actually just trying to aid and assist in in spreading the word on the red flags also what you can immediately see is uh sometimes when an app loads and uh the default phone number is uh not from either the app's location or your location. Yeah, these are simple red flags, but things to keep an eye out for. And us, what are we doing? Well, we're not letting this go. Not from a research perspective, not from a bank perspective, but we're looking for help. The help comes from you, comes from the audience, comes from other companies,

other financial institutions. Yeah. Everyone getting together, sharing information, sharing knowledge, and working together. Yeah. But that's just the start. We hope to improve on this and eventually protect people. Yeah. Thank you. [applause] >> I don't know how many minutes there are for questions because we're getting played off already. Okay, cool. Any questions?

So yeah, it's a good question. Uh we haven't looked at getting them to help unoffiscated. If we know what tool obfiscated it, uh we can sometimes work backwards and get back to where we need to be. In a lot of cases, uh like I say with AI tools and stuff, in some cases it's a bit harder, not [clears throat] too hard in some cases. Um we can actually get there quite quickly. >> Yeah. And then just to that point um the time by the time we figure out how to basically deopiscate or figure out their they moved already 10 10 payloads. So like we've seen that actually daily they changing up their payloads. They changing up the strategy. So we might

figure out how to get to the encryption key today but they're already 10 steps ahead of us. Hi. Um, I just wanted to get your guys thoughts on Google requiring developer verification and registration even for side loading of APKs starting next year. >> So, you say requiring verification. >> They're running it out starting next year with some of these areas and I believe it'll be worldwide after that. >> It's great. You know, like it's it's a start, right? But like for instance, what what what we've been showing today. Um a big problem is that none of this touches Google. This is not sitting on the Play Store, you know, it's all being distributed out of band. Okay. Either

directly dropped via websites and then you're actually getting walked through how to turn on unknown sources, how to sideloadad the app. So unfortunately from that perspective maybe a bit tricky. And yeah um something we also like based on the metrics and the stats that we observed that um these features are only in the new um devices or the new APIs and I think it was like close to 60% of South Africa is still using Android what 9 or 10 right and those and these devices don't doesn't even um have this capabilities so yeah I think yes they doing this verification but it's only in the newer APIs and most of South Africans doesn't even have these um

newer phones and I mean look at our demographic of South Africa we want without cheap phones. So I think uh yeah >> how's the guys? Yeah, thanks for the talk. Um as um as you guys are working for Netbank um what is Netbank doing to protect against gold digger and this kind of stuff. You don't have to well if you can't say it in an open forum. >> Can't say everything. You're welcome to talk to us afterwards. Um obviously there are protections in place um on the app to do what we can. um we can't protect against what's coming next, if that makes sense. So, we're doing what we can to secure apps. Uh we're not

exactly on the app dev team, so I can't speak directly to the most recent um developments and protections that are being put in place, but um obviously between the forensic side, the app dev side doing a lot of work to secure what they can. >> Okay, let's hear that afterwards. >> Cool. All right. Thank you guys for for joining us on this talk. Thank you um Bren Shaw and Dr. Robotto. We appreciate you quite a lot. We have brought you a little something. This one is yours and this one is for you. Please give them one last round of applause. [applause]