Source code for Android iBanking bot surfaces on underground forum

The leaked source code could lead to a larger number of attacks using the mobile malware, security researchers from RSA said

The source code for an Android mobile banking Trojan app was released on an underground forum, making it possible for a larger number of cybercriminals to launch attacks using this kind of malware in the future.

The Trojan app had initially appeared on the underground market late last year with a price of US$5,000, according to researchers from RSA, the security division of EMC, who spotted the recent source code leak.

The malware app, which the RSA researchers call iBanking, is used in conjunction with PC malware to defeat mobile-based security mechanisms used by banking sites.

Most PC malware that targets online banking users can inject content into browsing sessions. This capability is used to display rogue Web forms on banking sites in order to steal log-in credentials and other sensitive financial information from users. Such malware can also "ride" the active online banking sessions of victims to initiate rogue transactions from their accounts.

Many banks responded to these threats by implementing two-factor authentication and transaction authorization systems that work by sending unique one-time-use codes to their customers' registered phone numbers via SMS.

Faced with an increasing need to access their victims' text messages in order to defraud them, attackers have started to created mobile malware like iBanking for this purpose.

The iBanking malware was distributed "through HTML injection attacks on banking sites, social engineering victims into downloading a so called 'security app' for their Android devices," the RSA researchers said Thursday in a blog post.

In addition to capturing incoming and outgoing text messages, the iBanking app can redirect calls to a pre-defined phone number, capture audio from the surrounding environment using the device's microphone and steal data like the call history log and the phone book, the researchers said.

The malware connects to a command-and-control server that allows attackers to issue commands to each infected device, making iBanking not just a Trojan app, but a botnet client.

The iBanking source code leak spotted recently by the RSA researchers involved the source code for the malware's Web-based control panel and a script that can customize the iBanking APK (Android application package) with different configurations.

The malicious APK can be customized to masquerade as a security app or an app created by a targeted financial institution. During installation it asks for administrative rights, which can make it harder to remove at a later time, the RSA researchers said.

In the past, the leaked source code for other commercial online banking malware programs like Zeus led to a larger number of attacks using those threats and enabled cybercriminals to create more sophisticated Trojan programs based on them.

As a result of this recent code leak, "Trojan botmasters are now in a better position to incorporate this advanced mobile counterpart in their PC-based attacks, affording them control over their victims' smartphones," the RSA researchers said.

"The malware's ability to capture SMS messages and audio recordings, as well as divert voice calls makes step-up authentication all the more challenging as fraudsters gain more control over the OOB [out-of-band] device," the researchers said. "This highlights the need for stronger authentication solutions capable of validating users' identities using multiple factors including biometric solutions."

Join the CSO newsletter!

Error: Please check your email address.

Tags mobile securitydata breachmobilespywareIdentity fraud / theftmalwareemcfraudmobile applicationsAndroid OSrsa securitysecurity

More about EMC CorporationRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts