New iBanking mobile Trojan exploits Facebook platform

Security experts at ESET detected a new variant of iBanking Trojan offered in the underground that exploits Facebook platform as vector of infection.

iBanking is the name of a mobile banking Trojan app distributed through HTML injection attacks on banking sites. iBanking deceives victims impersonating itself as a  ‘Security App‘ for Android, we have spoken about it  early 2014 when the source code of the mobile malware has been leaked online through an underground forum.


iBanking mobile banking Trojan is available for sale in the underground for $5,000 according the RSA’s FraudAction Group, the malware is used to avoid the security mechanisms implemented by the banking websites, including two-factor authentication.

iBanking could be commanded via SMS or over HTTP beaconing C&C server every pre-defined interval, then pull and execute the command if one is awaiting it. The bot implements the following features:

  • Capture all incoming/outgoing SMS messages
  • Redirect all incoming voice calls to a different pre-defined number
  • In/out/missed call-list capturing
  • Audio capturing via device’s microphone
  • Phone book capturing
  • URL status: the mobile device will visit a provided URL, returning its status (possibly for click-fraud schemes.)

Experts at ESET security firm discovered a new variant of iBanking trojan which is exploiting Facebook as vector of infection.

According a report issued by ESET security researchers, the new version of iBanking, aka Android/Spy.Agent.AF, is targeting Facebook users by tricking them to download a malware application.

The new variant iBanking Trojan implements a webinject that was totally new for security experts, in fact, it uses JavaScript to inject content into Facebook web pages, in particular to create a fake Facebook Verification page for Facebook users. Once the victim logs into his Facebook account, iBanking  tries to inject the following content into the webpage:


The above verification page that was designed to request victims, their mobile number in order to verify the Facebook account authenticity.  In case the SMS fails to reach the user’s mobile, one of the successive pages was designed to request victim to download an Android app from an URL displayed or reading a QR code proposed on the screen,.

Once downloaded iBanking, the bot start its activities, it connects to the C&C server to receive commands.

iBanking, or any other similar malware, represents a privileged choice for cyber criminals due its ability to bypass two-factor authentication, criminal underground is increasing its offer especially oriented to mobile solutions. iBanking is considered a sophisticated solution according experts at ESET which compared it to other banking trojan like Perkele

“iBanking, detected by ESET as Android/Spy.Agent.AF, is an application that showcases complex features when compared with other earlier mobile banking malware, such as Perkele. It can be used in conjunction with any malware able to inject code into a webpage and is generally used to redirect incoming SMS messages to bypass two-factor authentication.” reported ESET.

Another alarming hypothesis is this Facebook iBanking app might be distributed by other banking malware in the next months, cybercriminals could start to adopt mobile components to attack other popular web services that enforce strong authentication.

The “commoditization” of malicious code and the code source leaks will sustain an offer that will increase in complexity and efficiency.

Stay sharp!

Pierluigi Paganini

(Editor-In-Chief, CDM)





FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2021

We are in our 9th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.