RSA, the security division of EMC, researchers have recently traced a forum post leaking the iBanking mobile bot control panel source-code. Apart from the server-side source-code, the leaked files also include a builder (a bash script) that can un-pack the existing iBanking APK file and re-pack it with different configurations, essentially providing fraudsters with the means to create their own unique application.
iBanking mobile bot is a relative new-comer to the mobile malware scene, and has been available for sale in the underground for $5,000 since late last year. It was first seen spreading through HTML injection attacks on banking sites, social engineering victims into downloading a so called “security app” for their Android devices.
The malware goes beyond being yet another SMS-sniffer app, offering features such as call redirecting, audio recording (using the device’s mic) and data stealing. It is an example of the ongoing developments in the mobile malware space andRSa says it is now seeing the next generation of malicious apps being developed and commercialized in the underground, boasting web-based control panels and packing more data-stealing features.
In order to deceive its victims, the iBanking app disguises itself in different ways. “During our analysis we observed two main graphic templates: one made use of its target’s logos and monikers (in our analysis a well-known financial institution), and in another it masqueraded as a security app. Furthermore, during the installation process the app attempts to social engineer the user into providing it with administrative rights, making its removal much more difficult,” said RSA FirstWatch researcher Lior Ben-Porat in a blog post.
With the apparent code leak, Trojan botmasters are now in a better position to incorporate this advanced mobile counterpart in their PC-based attacks, affording them control over their victims’ smartphones. What’s more, the panel’s “sandboxing” feature, supporting multiple unrelated attack campaigns (or mobile botnets), may encourage mobile-botnet-as-a-service offerings in the underground marketplace.
The malware’s ability to capture SMS messages and audio recordings, as well as divert voice calls makes step-up authentication, is all the more challenging as fraudsters gain more control over the OOB device. “This highlights the need for stronger authentication solutions capable of validating users’ identities using multiple factors including biometric solutions. The latter will also assist in reducing the dependency on conscious human intervention making social engineering attempts void,” said Lior Ben-Prat.
The full RSA blog post can be found here: https://blogs.rsa.com/ibanking-mobile-bot-source-code-leaked/
