9:30 ET, 27 February 2014

iBanking is a new mobile banking Trojan available for sale in the underground for $5,000 according the RSA’s FraudAction Group. 

The source code for iBanking banking trojan has been leaked online through an underground forum, this kind of news reports a serious threat from the cybercrime ecosystem.

Like happened for other trojan, including Zeus and Carberp, the availability on line for their source code is a driving force for many criminal activities, many players begin to customize their own versions or to offer development services to other criminals in the model that we have identified as malware-as-a-service.

b1

Mobile devices are a fundamental component of our life, their penetration level is in constantly growing and it is natural that cybercrime is increasing to conduct targeted attacks against mobile platforms and applications.

The offer of commodities in the underground market to compromise mobile systems is very articulate and every day it proposes new products for cyber criminals.

Malware authors are also developing new attack patterns specifically for mobile that consider also the habits of customers for industries and countries.

iBanking is a new mobile banking Trojan which impersonates itself as a legitimate Android Security App to deceive victims, it’s code is available for sale in the underground for $5,000 according the RSA’s FraudAction Group

The app attempts to deceive victims with social engineering techniques requesting administrative rights to perform malicious activities on the handset and avoiding detection.

“RSA researchers have recently traced a forum post leaking the iBanking mobile bot control panel source-code. Apart from the server-side source-code, the leaked files also include a builder (a bash[1] script) that can un-pack the existing iBanking APK file and re-pack it with different configurations, essentially providing fraudsters with the means to create their own unique application.

iBanking mobile bot is a relative new-comer to the mobile malware scene, and has been available for sale in the underground for $5,000 since late last year. We first saw it spread through HTML injection attacks on banking sites, social engineering victims into downloading a so-called “security app” for their Android devices.” explained  in the blog post the Head of knowledge delivery and business development for RSA’s FraudAction Group, Daniel Cohen. 

b2

It’s clear that the availability of iBanking mobile bot source code will give the opportunity for cybercriminals to build customized versions of the malware in the future.

Daniel Cohen remarked that the proposal for mobile banking trojan source code is a new for the cyber criminal ecosystem despite the proposal in the underground marketplace is very articulate.

The bot could be commanded via SMS or over HTTP beaconing C&C server every pre-defined interval, then pull and execute the command if one is awaiting it. The app implements the following features:

  • Capture all incoming/outgoing SMS messages
  • Redirect all incoming voice calls to a different pre-defined number
  • In/out/missed call-list capturing
  • Audio capturing via device’s microphone
  • Phone book capturing
  • URL status: the mobile device will visit a provided URL, returning its status (possibly for click-fraud schemes.)

iBanking malware could be used to avoid the security mechanisms implemented by the banking websites, including two-factor authentication.

“Apart from the server-side source-code, the leaked files also include a builder that can un-pack the existing iBanking APK file and re-pack it with different configurations, essentially providing fraudsters with the means to create their own unique application,” said Cohen.

The diffusion of malware like iBanking is an alarming sign for the security community that needs to define more sophisticated, and easy to use, authentication methods to neutralize the trick developed by authors of banking trojan.

“The malware’s ability to capture SMS messages and audio recordings, as well as divert voice calls makes step-up authentication all the more challenging as fraudsters gain more control over the OOB device. This highlights the need for stronger authentication solutions capable of validating users’ identities using multiple factors including biometric solutions.”

No doubts, the complexity of mobile malware will increase and security community must develop a proper mitigation strategy.

Pierluigi Paganini

(Editor-In-Chief, CDM)

rsa-logo