A new threat to the Android platform has been discovered and this time it targets Facebook users who regularly use mobile banking. The iBanking Android malware is a mobile banking Trojan app that disguises itself as a legitimate security app.
This malware gets into an Android device via a computer. Once a computer is infected with this malware a message will pop up that says “due to a rising number of attempts in order to gain unlawful access to the personal information of our users and to prevent corrupted page data to spread Facebook administration introduces new extra safety protection system.” If the user clicks on this they will be redirected to a link that asks for their mobile operating system and number. A QR code is then provided to download the Android app to their device.
This technique is called the man-in-the-browser attack or simply webinjects. This has long been used by Trojans to display a website that looks like the real one but is actually fake and collects the login credentials of victims.
Once the iBanking app is installed it will be asking for administrative access on the device. It will then be able to spy on the user’s communications. It can also do all sorts of things such as redirect calls to any pre-defined phone number, steal other confidential data such as contacts and history logs, capture audio using the device’s microphone, and capturing incoming and outgoing SMS messages. What’s probably its strongest feature is that it can bypass the two-factor authentication implemented by Facebook and several banking sites.
Last February the source code for the iBanking malware was released in an underground forum which made it easier for cybercriminals to take advantage of its capabilities. What’s interesting to note is that despite being designed to target banking sites the malware that is spreading right now is targeting Facebook users.
Jean-Ian Boutin, ESET malware researcher, said that “Now that mainstream web services such as Facebook are also targeted by mobile malware, it will be interesting to see whether other types of malware will start using webinjects. Time will tell, but because of the commoditization of mobile malware and the associated code source leaks, this is a distinct possibility.”
The best way to protect your devices against this new malware is not to install any app from questionable sources. As much as possible always get your apps from the Google Play store. So that apps from other sources don’t get installed on your device make sure to disable the Unknown Sources option under the Applications Settings of your device.