$5,000 Android malware-as-a-service subscriptions are making the rounds in the underground, originally crafted for powerful Russian cybercrime gangs looking to broaden their attacks on financial institutions. The tool, known as iBanking, comes complete with updates and technical support included in the fee, and is making its way into the hands of less well-funded users.
“iBanking is one of the most expensive pieces of malware Symantec has seen on the underground market, and its creator has a polished, software-as-a-service business model,” the security firm said in its blog on the subject. However, the owner, who goes by the cryptic but effective GFF, is willing strike a deal with the less well-funded, offering leases in exchange for a share of the profits.
There was also a recent leak of its source code, meaning there could significant increase in activity going forward. The leaked version of iBanking is unsupported and contains an unpatched vulnerability, so serious criminals will likely stick with the paid version.
From humble beginnings as a simple SMS stealer, iBanking has evolved into a powerful Android trojan that can steal phone information, intercept voice and SMS communications, record audio through the phone’s microphone, upload contacts lists, geolocate the device, access file systems and program listings, wipe devices remotely, and forward or redirect calls. iBanking specifically goes after Android users, and often masquerades as legitimate social networking, banking or security applications. Once it is installed on the phone, the attacker has almost complete access to the handset.
“[It] is mainly being used to defeat out-of-band security measures employed by banks, intercepting one-time passwords sent through SMS,” Symantec explained. “It can also be used to construct mobile botnets and conduct covert surveillance on victims. iBanking has a number of advanced features, such as allowing attackers to toggle between HTTP and SMS control, depending on the availability of an Internet connection.”
Symantec went on to explain how it the infection works:
After unwittingly downloading iBanking, The victim is usually already infected with a financial Trojan on their PC, which will generate a pop up message when they visit a banking or social networking website, asking them to install a mobile app as an additional security measure.
The user is prompted for their phone number and the device operating system and will then be sent a download link for the fake software by SMS. If the user fails to receive the message for any reason, the attackers also provide a direct link and QR code as alternatives for installing the software. In some cases, the malware is hosted on the attackers’ servers. In other cases, it is hosted on reputable third-party marketplaces.
One of the most active iBanking users is the Eastern European-based Neverquest crew, a prolific cybercrime group that has infected thousands of victims with a customized version of Trojan known as Snifula. Snifula can perform man-in-the-middle (MITM) attacks against a range of international banks. The Neverquest crew utilizes iBanking to augment its Snifula attacks, capturing one-time passwords sent to mobile devices for out-of-band authentication and transaction verification.
Since iBanking victims are usually tricked into installing the app by a desktop financial trojan, keeping desktop anti-virus software up to date will help avoid infection. Users should also be wary of any SMS messages that contain links to download APKs, especially from non-reputable sources. IT administrators should consider blocking all messages which contain a link to install an APK.