[draft] The Driver in The Mobile

Two masked men are discussing a plan to make money during the summer break by creating a fake digital sticker app. They explain that the app will contain malware that can intercept usernames and passwords, including those used for mobile banking. They discuss using the camera to record the user entering their OTP and intercepting the data from active sessions. They believe they can manipulate fund transfer transactions without being detected by the bank. Two masked males were speaking on a computer's not far from William Friday's residence. Prior to the summer vacation, they got the most expensive and most opulent apartment on Greenwich, Maisie Island. Dude, the summer break is coming. We should start moving again in this city now that the moment is right, the man in a mask said. Yes, buddy, you're right. I've got something for you, said his friend. Oh, yeah. A masked man asked another one. Yes, look, let me show something we can use to make money during a peak time, such as this summer break momentum. His companion spoke back. What's that? Asked the first man in a mask while beaming broadly, they could be overheard discussing something. Isn't this digital sticker app cute? The second masked man was questioned. Huh, what the hell was that fake sticker app? The first masked man asked intently as he observed the laptop monitor of his pal. Yes, as you know, it's a real but fake app, right? The second masked man said. This is the deception tactic we'll employ. The man answered with a big smile. So what's the plan? Asked the first masked man. During the summer break, this trick sticker app can definitely make a lot of money. He spoke. Right now is everyone's vacation period, don't you think? The second masked man re-asked. His companion retorted. Sure it has to be. We can make a lot of money during the holiday season. The first masked man said. Yes, the most wonderful time, especially for us who work hard. His pal said. I concur. Do you think that those stickers may make money? He inquired. Yes, of course. This is how we get access to a potential victim's smartphone. He retorted. The second masked man said. The first masked man questioned again. So how can you explain that to me, buddy? The second masked man responded. Well, you know that this kind of digital sticker is extremely popular with users of these messaging apps, right? The first masked man continued to ask his buddy for an explanation. Okay, then. The key is this malware. As we all know, passwords can be intercepted by tiny programs that act as snoopers, right? He clarified. Um, yeah, of course. So how does it operate? Asked the first masked man. Very simple. We install this malware on the smartphone. He said. He smiled as he stated. So are you saying that you're going to add this tiny program to this digital sticker application? The first masked man kept asking, but it appeared like he was beginning to get what his companion meant. Yes, of course. We'll add this malware to this application for digital stickers. The second masked man responded, defending his colleague. The first masked man said, um, okay, as he carefully considered the justification. The executable code of this malware will act once this sticker application has been downloaded and installed on a smartphone, and they'll get to work right away. The second masked man spoke. The man in the first mask questioned his friend again. Okay, then. Yes, of course. Using this digital sticker application will instantly activate the malware that is installed on the smartphone. He spoke. The password is then intercepted. Is that what you mean? Asked the first masked man. Exactly. To be precise, username and password. The first masked man exclaimed, um, fascinating. Mobile banking requires a username and password, right? Why did this masked man with a laugh? Of course. His companion spoke back. However, don't all fund transfers made through mobile banking have additional security measures, including a one-time password, right? The first masked man inquired once more. His pal answered. Of course. So, how do you get around it? Or soup on the LTP? Questioned the man. Very simple. Aren't we inside already? His companion retorted with a question. Huh. Inside this smartphone, you mean? Questioned the first masked man while displaying the phone in his hand. Of course. Yes. The executable code is included when one downloads this digital sticker from the app store. He said. Um. The first man in the mask listened to him. When the potential victim's smartphone is turned on, it will actively tap the password to access the mobile bank. He spoke. Are you sure that we can operate on a session that is open at the time a user transacts? Yes. Let me demonstrate. The second masked man said. He indicated the display on his laptop. Sit down, please, and look at its operation. The first masked man sat down next to his partner right away. He immediately focused on what was being shown on the screen. You're aware of mobile app. Operate. Right. The second masked man was questioned. Of course. Yes. Right. By employing the privilege administrator. The second masked man answered. Yes, it is. When a user installs an application, the program will ask for administrator privilege, the highest access level. We can access the smartphone using those access levels. Right. He asked. Yeah. The media used for storage that a program uses, the phone book, the camera, the microphone and our current position. Right. The first masked man answered as he re-asked. You're right. Now the sticker application we developed will have access to these resources after the user approves the permission request. The camera, as an example. Edit the second man mask. Okay. Well, then. I assume the camera can act as a screen capture. To tap on a display on a screen. Right. Asked the second man mask. It is capable of intercepting what is shown on the screen. But isn't the OTP that the user enters hidden such that the numbers they type are covered by an asterisk or other character. Right. Asked his pal. Of course. Yes. You do, however, understand that the camera can also serve as a video recorder. Right. The second masked man retorted. You want to record a video while the user types numbers into his smartphone to intercept the OTP. Questioned the first masked man. Not really. It depends on the situation at hand. Even without using a camera, we can also intercept it from the inside. In an active session, that is. He spoke. Okay. For instance, each transaction will form an active session when I access the mobile banking app on his smartphone, processing and storing data. Right. Yes. Even if it doesn't need to store data, every session will use it to function. The second masked man said. But we may intercept or modify it once we obtain access. Right. Am. And the numbers will be processed in the active session when the user enters the OTP. Is that what you mean? Again, the first man with a mask inquired. Of course. Yes. It is simple to intercept every character entered. His companion spoke back. However, isn't the way being utilized encrypted? I mean, isn't the line taken during transactions a secure one that is hidden from view? What do you think, buddy? Questioned the first masked man. Of course. Yes. However, as I already stated, we are inside, aren't we? Asked the second masked man. You intend to sniff on sessions that are engaged in app-based transactions, right? His pal again inquired. Yes. We bugged it from the inside. Answered the second masked man. Are you sure we can intercept the OTP process on a secure line? Why not? Yes. For instance, while you are in a safe lane on a freeway, can you hit a person crossing the road with your car, right? The second masked man was questioned. Of course. Yes, because I'm in the area. Even when a person was sprinting towards the highway and about to cross it, I could see it plainly. He would have killed right away if my car had hit him. He spoke. Yes, it is. Considering that you were in that lane at the time, right? His pal re-asked. The second masked man responded with an analogy. Yes, it is. Likewise, when this malware is embedded in a smartphone, it will easily tap anything from the inside, right? Damn. Okay, let's say you have obtained the OTP inputted by the user, then what will you do? Asked the first masked man. Let's just simply kick the user. Answered by the second masked man with a flick of his left eye. You mean kick how? How can you do that? I wonder. The first masked man laughed. Check out what is shown on the screen. You take part in an active session when you transact, right? The second masked man was questioned. The first masked man answered. Yes, it is. The second masked man said. Alright, I'm going to hit you out now. What do you mean you want to terminate the session I'm using for this transaction? Asked the first masked man. The second man answered. Yes, that's the analogy. Therefore, I, who are behind you or inside with you, will kick you when you have a fascination with your money. The man said. Are you going to kick my ass or are you going to bash my head in from behind? Sure, why not? His buddy replied. I was using OTP back then, was I? Curious. The first masked man questioned. Yes, it is. When you acquired it, I had a look at your OTP, didn't I? Inquired of the second masked man. However, how can you explain that to me since I'm not sure if you can use the OTP? His pal again inquired. Yes, but did you know that there is a grace period for OTPs? Perhaps five minutes? Re-asked the second masked man. Yes, of course. The first masked man responded. And even if it's just a few seconds, like two or three minutes, the login OTP can be used to authenticate during that window. But it's still useful to me, right? The second masked man answered. But are you sure that when you obtain the OTP you can use it to manipulate fund transfer transactions? Yeah, I'm 100% sure about that. Said his buddy, giving an answer. Okay, when you manipulate fund transfer transactions, is there no possibility that your activities are not suspected by the bank? The first masked man asked. What do you mean, brother? The second masked man asked back. Yes, it is possible when you change the transfer destination and the transaction amount and the bank will find out about the suspicious transaction, right? Because it may be that your activities are categorized as suspicious financial transactions. His partner replied. You're right. But how did the bank learn that I took part in uncertain activities with regard to transactions? The second masked wearing man re-asked. You know, maybe they have a fraud detection system. So that the bank might quickly prevent your activity after discovering it. The first masked man kept asking. Huh. You believe that setting the fraud detection tools transaction parameters is easy. Believe me, the bank can't get it right. The man answered. Yes, but you shouldn't underestimate them. The majority of banks employ cybersecurity experts that have obtained worldwide certification. Ask the first masked man. I am aware of that. But their abilities are still not as impressive as we think. How many of them are banking professionals that enroll in international certifications only out of curiosity while the truth is a resounding big zero? The second masked man re-asked. Yes, you're correct. After all, the worldwide certification training never covered how to set transaction parameters on fraud detection systems. Am I right? Ask jokingly to the first masked man. Exactly. After all, the parameters that are set are generally business parameters that have nothing to do with security aspects or at least would never be thought of by people who claim to be experts. The second masked man jokingly replied. Well, so you're sure that your thesis will work, buddy? Ask the first masked man. Yes, of course. Of course, it's not like we have to chase a certification to be able to show it. Reply the second masked man in jest. Well, it is an entertaining game and profitable at the same time, right? Said his companion. Sure. The second man with a mask answered. So the steps are to install malware through bogus apps, to intercept passwords and OTPs, and ultrafun transfer operations, right? The first man with a mask appeared more enthusiastic. And one more. Said the second masked man. What's that? Asked the first masked man. Making banking practitioners who claim to be experts game? Said the second masked man. Yes, of course, because we are the man in the middle of the attack, right? Said the first masked man. Yes, you're right, or more precisely, we are the driver in the mobile. His pal responded with a big laugh. Okay, let's execute this wonderful plan.