Thursday, April 17, 2014

[securityaffairs] New iBanking mobile Trojan exploits Facebook platform

Security experts at ESET detected a new variant ofiBanking Trojan offered in the underground thatexploits Facebookplatform as vector of infection.

iBanking is the name of a mobile banking Trojan app distributed through HTML injection attacks on banking sites. iBanking deceives victims impersonating itself as a  ‘Security App‘ for Android, we have spoken about it  early 2014 when the source code of the mobile malware has been leaked online through an underground forum.
iBanking facebook security app
iBanking mobile banking Trojan is available for sale in the underground for $5,000 according the RSA’s FraudAction Group, the malware is used to avoid the security mechanisms implemented by the banking websites, including two-factor authentication.
iBanking could be commanded via SMS or over HTTP beaconing C&C server every pre-defined interval, then pull and execute the command if one is awaiting it. Thebot implements the following features:
  • Capture all incoming/outgoing SMS messages
  • Redirect all incoming voice calls to a different pre-defined number
  • In/out/missed call-list capturing
  • Audio capturing via device’s microphone
  • Phone book capturing
  • URL status: the mobile device will visit a provided URL, returning its status (possibly for click-fraud schemes.)
Experts at ESET security firm discovered a new variant of iBanking trojan which is exploiting Facebook as vector of infection. 
According a report issued by ESET security researchers, the new version ofiBanking, aka Android/Spy.Agent.AF, is targeting Facebook users by tricking them to download a malware application.
The new variant iBanking Trojan implements a webinject that was totally new for security experts, in fact, it uses JavaScript to inject content into Facebook web pages, in particular to create a fake Facebook Verification page for Facebook users. Once the victim logs into his Facebook account, iBanking  tries to inject the following content into the webpage:
iBanking facebook malware
The above verification page that was designed to request victims, their mobile number in order to verify the Facebook account authenticity.  In case the SMS fails to reach the user’s mobile, one of the successive pages was designed to request victim to download an Android app from an URL displayed or reading a QR code proposed on the screen,.
Once downloaded iBanking, the bot start its activities, it connects to the C&C serverto receive commands.
iBanking, or any other similar malware, represents a privileged choice for cyber criminals due its ability to bypass two-factor authentication, criminalunderground is increasing its offer especially oriented to mobile solutions. iBankingis considered a sophisticated solution according experts at ESET which compared it to other banking trojan like Perkele
iBanking, detected by ESET as Android/Spy.Agent.AF, is an application that showcases complex features when compared with other earlier mobile banking malware, such as Perkele. It can be used in conjunction with any malware able to inject code into a webpage and is generally used to redirect incoming SMS messages to bypass two-factor authentication.” reported ESET.
Another alarming hypothesis is this Facebook iBanking app might be distributed by other banking malware in the next months, cybercriminals could start to adopt mobile components to attack other popular web services that enforce strong authentication.
The “commoditization” of malicious code and the code source leaks will sustain an offer that will increase in complexity and efficiency.
Stay sharp!

No comments:

Post a Comment