Security experts at ESET detected a new variant of iBanking Trojan offered in the underground that exploits Facebook platform as vector of infection.

iBanking is the name of a mobile banking Trojan app distributed through HTML injection attacks on banking sites. iBanking deceives victims impersonating itself as a  ‘Security App‘ for Android, we have spoken about it  early 2014 when the source code of the mobile malware has been leaked online through an underground forum.

i1

iBanking mobile banking Trojan is available for sale in the underground for $5,000 according the RSA’s FraudAction Group, the malware is used to avoid the security mechanisms implemented by the banking websites, including two-factor authentication.

iBanking could be commanded via SMS or over HTTP beaconing C&C server every pre-defined interval, then pull and execute the command if one is awaiting it. The bot implements the following features:

  • Capture all incoming/outgoing SMS messages
  • Redirect all incoming voice calls to a different pre-defined number
  • In/out/missed call-list capturing
  • Audio capturing via device’s microphone
  • Phone book capturing
  • URL status: the mobile device will visit a provided URL, returning its status (possibly for click-fraud schemes.)

Experts at ESET security firm discovered a new variant of iBanking trojan which is exploiting Facebook as vector of infection.

According a report issued by ESET security researchers, the new version of iBanking, aka Android/Spy.Agent.AF, is targeting Facebook users by tricking them to download a malware application.

The new variant iBanking Trojan implements a webinject that was totally new for security experts, in fact, it uses JavaScript to inject content into Facebook web pages, in particular to create a fake Facebook Verification page for Facebook users. Once the victim logs into his Facebook account, iBanking  tries to inject the following content into the webpage:

i2

The above verification page that was designed to request victims, their mobile number in order to verify the Facebook account authenticity.  In case the SMS fails to reach the user’s mobile, one of the successive pages was designed to request victim to download an Android app from an URL displayed or reading a QR code proposed on the screen,.

Once downloaded iBanking, the bot start its activities, it connects to the C&C server to receive commands.

iBanking, or any other similar malware, represents a privileged choice for cyber criminals due its ability to bypass two-factor authentication, criminal underground is increasing its offer especially oriented to mobile solutions. iBanking is considered a sophisticated solution according experts at ESET which compared it to other banking trojan like Perkele

“iBanking, detected by ESET as Android/Spy.Agent.AF, is an application that showcases complex features when compared with other earlier mobile banking malware, such as Perkele. It can be used in conjunction with any malware able to inject code into a webpage and is generally used to redirect incoming SMS messages to bypass two-factor authentication.” reported ESET.

Another alarming hypothesis is this Facebook iBanking app might be distributed by other banking malware in the next months, cybercriminals could start to adopt mobile components to attack other popular web services that enforce strong authentication.

The “commoditization” of malicious code and the code source leaks will sustain an offer that will increase in complexity and efficiency.

Stay sharp!

Pierluigi Paganini

(Editor-In-Chief, CDM)

rsa-logo