Last month we reported about the latest threat to hit the Android platform which targets Facebook users who regularly do mobile banking on their devices. Now Symantec has reported that the malware known as iBanking has been further developed to perform other nefarious activities and it is even being sold for $5000 which comes with updates and even technical support.
The main culprits behind the development of the iBanking malware are powerful Russian cybercriminals who have enhanced its features to create various attacks on financial institutions. The individual or group of individuals involved in the sale of this malware is known as GFF. For those interested in buying the malware but can’t afford to pay the upfront cost of $5000 then a deal can be arranged where a lease can be made in exchange for a share of the profits.
How does his malware work? iBanking disguises itself as a legitimate social networking, banking, or security application and attacks outdated security measures being employed by certain banks. It can intercept the one-time passwords sent to mobile devices through SMS and it can be used as a mobile botnet which can conduct a covert surveillance on a target. Its more advanced features include toggling between HTTP and SMS control depending on the availability of an Internet connection.
iBanking gets into an Android device through social engineering techniques. Victims are being lured to install iBanking in their Android device. What happens is that a victim will most likely have their PCs infected first with the financial Trojan. They will then receive a pop-up message informing then to install a mobile app which it claims is an added security measure.
The victim will then be asked for his or her phone number and the operating system of their mobile device before a download link is being sent via SMS. Once installed in a device the hacker now has complete control over it.
Some of the new features of this malware now include
- Stealing phone information –phone number, ICCID, IMEI, IMSI, model, operating system
- Intercepting incoming/outgoing SMS messages and uploading them to the control server
- Intercepting incoming/outgoing calls and uploading them to the control server in real time
- Forwarding/redirecting calls to an attacker-controlled number
- Uploading contacts information to the control server
- Recording audio on the microphone and uploading it to the control server
- Sending SMS messages
- Getting the geolocation of the device
- Access to the file system
- Access to the program listing
- Preventing the removal of the application if administrator rights are enabled
- Wiping/restoring phone to the factory settings if administrator rights are enabled
- Obfuscated application code
Symantec predicts that bot activity related to iBanking will increase in the coming months. GFF now even claims that it is has developed a BlackBerry version of the malware which it has yet to release.