Researchers at Symantec have discovered that previously known phishing malware for Android has been further developed into a sophisticated weapon that can perform various other malicious activities, and that can work together with similar apps for Windows, Ars Technica reports. Called iBanking, the malware is available to individuals with malicious intentions for around $5,000.
The software can intercept incoming and outgoing SMS messages, redirect incoming voice calls, capture sounds within range of the microphone, obtain geolocation data, access the file system, “and remotely corral the device into sprawling mobile botnets that use either HTTP or SMS to communicate, depending on the current network status of the infected handset.”
Apparently, iBanking masquerades as a genuine social networking, banking or security application in order to “defeat out-of-band security measures employed by banks.”
“Attackers use social engineering tactics to lure their victims into downloading and installing iBanking on their Android devices,” Symante wrote. “The victim is usually already infected with a financial Trojan on their PC, which will generate a pop up message when they visit a banking or social networking website, asking them to install a mobile app as an additional security measure.”
Such pop-up messages can apparently be seen on Facebook pages, appearing convincing enough to Internet users.
Even more interestingly, iBanking is apparently protected by AES encryption and code obfuscation in order to prevent competitors from devising similar tools for malicious purposes or security researchers from learning more details about it. Furthermore, the malware apparently knows when it’s run in virtual machines for reverse engineering purposes, and won’t run “properly” in such cases.
“Being aware of security-researchers and analysts, and employing anti-analysis mechanism has been a standard among PC-malware developers for quite a while; but is far from standard practice in the mobile malware field,” RSA’s FraudAction Group analyst Daniel Cohen wrote. “The iBanking malware shows that mobile malware developers are becoming aware of the necessity to protect their bots against analysis, and indicates a possible new trend in this new and evolving mobile malware space.”
While the source code for iBanking has been leaked, and some hackers adapted it to their own needs, large cybercrime players apparently rely on the paid version to conduct attacks, rather than the free one.
It’s not clear how many people have been affected by the iBanking malware. However, the iBanking malware scheme has been detailed in December 2013, when it’s believed to have been used to steal some 65,000 Bitcoins from a friend of a hacker, who then used the malware himself. The malware has been around since at least August 2013, when a pre-sale version has been spotted.
iBanking will reportedly target BlackBerry users in the future as well.
A list of iBanking “features,” as discovered by Symantec, and an image showing how iBanking works follow below:
- Stealing phone information –phone number, ICCID, IMEI, IMSI, model, operating system
- Intercepting incoming/outgoing SMS messages and uploading them to the control server
- Intercepting incoming/outgoing calls and uploading them to the control server in real time
- Forwarding/redirecting calls to an attacker-controlled number
- Uploading contacts information to the control server
- Recording audio on the microphone and uploading it to the control server
- Sending SMS messages
- Getting the geolocation of the device
- Access to the file system
- Access to the program listing
- Preventing the removal of the application if administrator rights are enabled
- Wiping/restoring phone to the factory settings if administrator rights are enabled
- Obfuscated application code