technologyvista: technologyvista: How Android malware iBanking is being used by attackers to gain unfettered access to victims phones Symantec has uncovered new details on the Android iBanking malware, deeming it one of the most expensive pieces of malware on the underground market at around USD 5,000. According to a blog published by Symantec, powerful Russian cybercrime gangs have started using this premium Android malware to broaden their attacks on financial institutions. “iBanking, is one of the most expensive pieces of malware Symantec has seen on the underground market and its creator has a polished, Software-as-a-Service business model. Operating under the handle GFF, its owner sells subscriptions to the software, complete with updates and technical support for up to USD 5,000. For attackers unable to raise the subscription fee, GFF is also prepared to strike a deal, offering leases in exchange for a share of the profits,” the security firm said in its blog. iBanking often masquerades as legitimate social networking, banking or security applications and is mainly being used to defeat out-of-band security measures employed by banks, intercepting one-time passwords sent through SMS. It can also be used to construct mobile botnets and conduct covert surveillance on victims. iBanking has a number of advanced features, such as allowing attackers to toggle between HTTP and SMS control, depending on the availability of an Internet connection. Symantec notes iBanking can be used by the attacker to do the following: • Steal phone information – phone number, ICCID, IMEI, IMSI, model, operating system • Intercept incoming/outgoing SMS messages and calls • Forward/redirect calls to an attacker controlled number • Record audio on the microphone • Get the geo-location of the device • Prevent the removal of the application if administrator rights are enabled How it works Attackers use social engineering tactics to lure their victims into downloading and installing iBanking on their Android devices. The victim is usually already infected with a financial Trojan on their PC, which will generate a pop up message when they visit a banking or social networking website, asking them to install a mobile app as an additional security measure. How an iBanking victim is infected The user is prompted for their phone number and the device operating system and will then be sent a download link for the fake software by SMS. If the user fails to receive the message for any reason, the attackers also provide a direct link and QR code as alternatives for installing the software. In some cases, the malware is hosted on the attackers’ servers. In other cases, it is hosted on reputable third-party marketplaces. iBanking can be configured to look like official software from a range of different banks and social networks. Once it is installed on the phone, the attacker has almost complete access to the handset and can intercept voice and SMS communications. iBanking can be controlled through both SMS and HTTP. This effectively provides online and offline options for command and control. By default, the malware checks for a valid Internet connection. If one is found, it can be controlled over the Web through HTTP. If no Internet connection is present, it switches to SMS. While iBanking was initially only available from, the source code for the malware was leaked in February. Not surprisingly, this resulted in an immediate increase in bot activity relating to iBanking. Symantec predicts that this upsurge in activity will continue as news of the leaked source code spreads through the underground. Protection • Since iBanking victims are usually tricked into installing the app by a desktop financial Trojan, keeping your desktop antivirus software up to date will help avoid infection. • Be wary of any SMS message which contains links to download APKs (Android application package files), especially from non-reputable sources. IT administrators should consider blocking all messages which contain a link to install an APK. • Some iBanking APKs have been seeded onto trusted marketplaces and users should be aware of this as a potential avenue of infection • Users should be aware of sharing sensitive data through SMS, or at least be aware that malicious programs are sniffing this data. sOURCE bit.ly/SlCFsL
Posted on: Sun, 01 Jun 2014 14:30:01 +0000
Trending Topics
Recently Viewed Topics
© 2015