iBanking Android malware disguised as legitimate apps

On underground cybercrime markets, iBanking is a well-known piece of malware, and one of the most expensive ones, too.

“iBanking often masquerades as legitimate social networking, banking or security applications and is mainly being used to defeat out-of-band security measures employed by banks, intercepting one-time passwords sent through SMS,” shared Symantec researchers. “It can also be used to construct mobile botnets and conduct covert surveillance on victims.”

The app itself now has the following capabilities:

  • stealing phone information and contacts
  • intercepting outgoing and incoming SMS messages and calls, and uploading them to a server controlled by criminals
  • redirecting calls; recording audio with the help of the phone’s microphone and uploading it to the aforementioned remote server
  • preventing the removal of the application and wiping/restoring phone to the factory settings (if administrator rights are enabled)
  • accessing the phone’s file system and program listing; and more.

The earliest versions of the app were first spotted in August 2013, and were only capable of redirecting calls and stealing SMS messages. In the meantime, the creator and owner of the malware – an individual that chose the online handle “GFF” – has been adding functionalities bit by bit, and the final product now costs up to US$5,000 (the buyer gets a subscription, updates, tech support).

The steep price tends to alienate most potential users, and those who opt to buy a subscription are usually well-established professional cybercrime groups. They continue to do so even though the malware’s source code has been leaked in February and is available for free – the are paying for the updates, new features, and tech support.

Symantec researchers say that after the source code was leaked, there was a significant increase in attacks wielding iBanking.

Past instances of attackers using the app include the so-called Neverquest crew operating out of Easter Europe and using it in conjunction with the information stealing Snifula Trojan; another Eastern-European threat actor going by the handle “Zerafik”, targeting Dutch bank ING; and a threat actor known as “Ctouma” who use an early version of the app to target users of a Thai bank.

“While Thailand itself is not typically associated with financial fraud attacks, it is possible that these attacks may have served as a test bed for early versions of the malware, in order to test its effectiveness,” noted the researchers.

Users usually get infected with iBanking posing as a legitimate app via a financial Trojan on their PC.

“The attacker launches a pop-up urging the victim to install an Android app for added security,” they explain. “Victim fills in form with mobile number and details and sends it to the attacker, who then sends an SMS with the download link for iBanking to the victim’s mobile.”

The victim downloads and runs the app, and iBanking begins to leak data to the attackers.

It’s interesting to note that the attacker can control the app even if the infected device isn’t connected to the Internet. If it is, the attacker uses HTTP to send instructions to it, if not, it uses SMS messages.

Don't miss