iBanking: Exploiting the Full Potential of Android Malware


Powerful Russian cybercrime gangs have begun to use premium Android malware to broaden their attacks on financial institutions. The tool, known as iBanking, is one of the most expensive pieces of malware Symantec has seen on the underground market and its creator has a polished, Software-as-a-Service business model. 

Operating under the handle GFF, its owner sells subscriptions to the software, complete with updates and technical support for up to US$5,000. For attackers unable to raise the subscription fee, GFF is also prepared to strike a deal, offering leases in exchange for a share of the profits. 

iBanking often masquerades as legitimate social networking, banking or security applications and is mainly being used to defeat out-of-band security measures employed by banks, intercepting one-time passwords sent through SMS. It can also be used to construct mobile botnets and conduct covert surveillance on victims. iBanking has a number of advanced features, such as allowing attackers to toggle between HTTP and SMS control, depending on the availability of an Internet connection. 

Its high price tag meant that use was initially confined mainly to well-resourced cybercrime gangs but, with the recent leak of its source code, Symantec has seen a significant increase in activity around iBanking and attacks are likely to grow further in the near future.

How it works
Attackers use social engineering tactics to lure their victims into downloading and installing iBanking on their Android devices. The victim is usually already infected with a financial Trojan on their PC, which will generate a pop up message when they visit a banking or social networking website, asking them to install a mobile app as an additional security measure. 

Figure 1. How an iBanking victim is infected

The user is prompted for their phone number and the device operating system and will then be sent a download link for the fake software by SMS. If the user fails to receive the message for any reason, the attackers also provide a direct link and QR code as alternatives for installing the software. In some cases, the malware is hosted on the attackers’ servers. In other cases, it is hosted on reputable third-party marketplaces. 

iBanking can be configured to look like official software from a range of different banks and social networks. Once it is installed on the phone, the attacker has almost complete access to the handset and can intercept voice and SMS communications. 

iBanking has evolved from a simple SMS stealer into a powerful Android Trojan, capable of stealing a wide range of information from an infected handset, intercepting voice and text communications, and even recording audio through the phone’s microphone.

Early, pre-sale versions were seen in August 2013. They had limited functionality and could simply redirect calls and steal SMS messages. iBanking’s owner, who operates under the handle GFF, has continually refined the malware. By September 2013, it had gone on sale on a major Eastern European underground forum and was already replete with a broad range of functionality. 

iBanking can be controlled through both SMS and HTTP. This effectively provides online and offline options for command and control. By default, the malware checks for a valid Internet connection. If one is found, it can be controlled over the Web through HTTP. If no Internet connection is present, it switches to SMS.

iBanking’s main features now include:

  • Stealing phone information –phone number, ICCID, IMEI, IMSI, model, operating system
  • Intercepting incoming/outgoing SMS messages and uploading them to the control server 
  • Intercepting incoming/outgoing calls and uploading them to the control server in real time
  • Forwarding/redirecting calls to an attacker-controlled number 
  • Uploading contacts information to the control server
  • Recording audio on the microphone and uploading it to the control server 
  • Sending SMS messages
  • Getting the geolocation of the device 
  • Access to the file system 
  • Access to the program listing 
  • Preventing the removal of the application if administrator rights are enabled 
  • Wiping/restoring phone to the factory settings if administrator rights are enabled 
  • Obfuscated application code  

While iBanking was initially only available from GFF at a premium price of US$5,000, the source code for the malware was leaked in February. Not surprisingly, this resulted in an immediate increase in bot activity relating to iBanking. Symantec predicts that this upsurge in activity will continue as news of the leaked source code spreads through the underground. 

However, we believe that the more professional cybercrime groups will continue to pay for the product, allowing them to avail of updates, technical support and new features. The leaked version of iBanking is unsupported and contains an unpatched vulnerability.

GFF continues to develop iBanking and add new features. They have also claimed that they are developing a version for BlackBerry, although this has yet to go on sale. 

How one hacker’s search for stolen Bitcoins led to an attack on the BBC and the leak of iBanking’s source code
The source code for iBanking was leaked following a bizarre series of events in which a hacker went on an attacking spree as part of a quest to retrieve 65,000 stolen Bitcoins. 

Figure 2. ReVOLVeR uses Twitter to brag about attacking the BBC

It began in December 2013 when hacker ReVOLVeR began investigating the theft of 65,000 Bitcoins from a friend. ReVOLVeR traced the theft to the friend’s mobile phone and found an iBanking infection which they believed had leaked the username and password for their Bitcoin wallet.

ReVOLVeR discovered that the infected phone was communicating with a C&C server, myredskins.net, which they went on to compromise. On this server, they discovered leaked FTP credentials for the BBC’s website. The credentials may have been stolen from an SMS sent to a mobile phone owned by a BBC staff member infected with iBanking. Alternatively, they may have been taken from a third party who had been given access to the server. 

ReVOLVeR then used these credentials to log into the BBC server, root the account and begin cracking additional credentials. He posted about his progress on Twitter, updating his followers with screenshots and dumps on SendSpace. 

Once finished with the BBC, ReVOLVeR then turned his attention to iBanking and attempted to sell the malware as his own on an underground forum. He did little to cover up the origin of the malware, simply reusing the post GFF had originally used to advertise iBanking on a different forum. Not surprisingly, ReVOLVeR was promptly banned from the forum. 

Not long after this, in February, another hacker who uses the handle Rome0 posted the source code to iBanking on a carding forum along with a simple script which could re-configure the iBanking application. Instead of charging for the malware, this version was made available for free. It is unclear whether Rome0 acquired the source code from ReVOLVeR or simply read about his attack on the C&C server and imitated it, but the two incidents appear to be linked. 

The release of the source code coincided with a significant uptick in iBanking activity. Despite the availability of a free version, our research suggests that most of the large cybercrime actors are continuing to opt for the paid-for version. They appear to be willing to pay a premium for the updates and support provided by GFF.

The gangs using iBanking
One of the most active iBanking users is the Neverquest crew, a prolific cybercrime group that has infected thousands of victims with a customized version of Trojan.Snifula. This financial Trojan can perform Man-in-the-Middle (MITM) attacks against a range of international banks. The Neverquest crew utilizes iBanking to augment its Snifula attacks, capturing one-time passwords sent to mobile devices for out-of-band authentication and transaction verification. Control numbers (the mobile numbers that the bots can receive instructions from) indicate that the Neverquest crew is likely operating out of Eastern Europe. 

Another threat actor utilizing iBanking is Zerafik, who also appears to operate from Eastern Europe. Zerafik operated a command-and-control (C&C) server located in the Netherlands which was subsequently hacked, with details posted publicly on ProtectYourNet. The leak revealed that iBanking installations controlled by this C&C server were configured to target customers of Dutch bank ING, with the app disguised to look like an official app from the company. The iBanking campaigns uncovered by this breach involved multiple segregated botnets that could be controlled through a single panel, allowing for the attacker to control multiple campaigns from a single user interface. 

One of the first users of iBanking was an actor known as Ctouma, who has a history of involvement with scam websites and trading in stolen credit card data. Their email address ([email protected]) had been used to set up a service which sells stolen credit card information. 

Ctouma employed one of the earliest versions of the malware, which wasn’t even for sale at the time. It was disguised as a mobile application for a Thai bank. While Thailand itself is not typically associated with financial fraud attacks, it is possible that these attacks may have served as a test bed for early versions of the malware, in order to test its effectiveness. 

Symantec detects this threat as Android.iBanking

Since iBanking victims are usually tricked into installing the app by a desktop financial Trojan, keeping your desktop antivirus software up to date will help avoid infection. 

You should be wary of any SMS messages which contain links to download APKs (Android application package files), especially from non-reputable sources. IT administrators should consider blocking all messages which contain a link to install an APK. 

Some iBanking APKs have been seeded onto trusted marketplaces and users should be aware of this as a potential avenue of infection

Users should be aware of sharing sensitive data through SMS, or at least be aware that malicious programs are sniffing this data.

BBC Sport in Rugby World Cup Twitter spam slip-up

A compromised Twitter account has resulted in the embarrassing broadcast of a spam message via the BBC’s website.

More and more TV stations are encouraging both their staff and their viewers to jump onboard the social media bandwagon, and use the likes of Twitter to interact and keep up-to-date with the latest developments. But if you don’t take care, you may end up with some egg on your face.

Take, for example, BBC Sport’s extensive online coverage of the Rugby World Cup, where alongside the match reports and videos you can also follow the latest tweets from the BBC’s Rugby correspondents.

It sounds like a terrific idea – a great way for sports fans to keep up with the latest developments from the BBC’s team of experts. But take a closer look and you’ll find that Jim Mason, BBC Scotland’s rugby correspondent, appears to have had his Twitter account compromised. Overnight it sent out a spam message encouraging people to investigate an Acai Berry diet.

Serious about shedding a few pounds? read this its interesting! [LINK]

Jim only has a few hundred followers of his Twitter account, so this spam won’t have had a huge impact there. But because it has been syndicated to a much wider audience via the BBC’s sports website it has the potential reach many more people and – of course – increase embarrassment for the corporation.

Some 14 hours after the tweet first appeared, it still hasn’t been deleted – and is still appearing on the BBC’s website.

If you were to click on the link (I wouldn’t recommend it) you will be taken to a website that poses as a fake news page, promoting the miracle Acai Berry diet.

Acai Berry diet spam website

My guess would be that Jim’s Twitter password has been phished. He should change it immediately, and ensure that he is not using the same password on any other website.

And if you’re a media organisation – consider how you’re going to handle an authorised Twitter message appearing on your website. This time it was just spam, but it could have been something much more malicious.

BBC Lottery: Have you won too?

I must be the luckiest person on the planet – I keep winning lotteries!

Here’s the latest notification – straight from Aunty Beeb herself, the BBC.

Bogus BBC lottery email

Apparently the BBC is now deciding who has won the lottery based not upon who bought tickets, but instead simply by pulling email addresses out of a hat! That seems so much more efficient than the old way.

You may have thought that there had to be enough people putting a little bit of money *into* the lottery for a small number of people to get a lot *out* of it – but apparently not anymore! Maybe they’re just pleased I’ve been paying the TV license fee for the last twenty years or so.

Now, if you receive an email like this there are probably people out there who will try to convince you that it’s a scam, that it wouldn’t be a good idea to hand over your name, address, age, mobile number, date of birth (hang on – don’t they already have that?) to a complete stranger..

..especially to a complete stranger called “Mr Patetr Thomas” (# You say potato, I say Patetr #). And they may even try to warn you that Scottish screen lovely Jenni Falconer doesn’t actually present the Saturday lottery draw on BBC TV, that duty falling to chirpy cheeky chappy Nick Knowles instead.

Jenni Falconer and Nick Knowles

And I must admit I find it hard to confuse the two of them, but I’m sure it’s just an administrative mix-up.

After all, Mr Patetr Thomas (# Let’s call the whole thing off.. #) is probably a very busy chap. After all, it looks like I’m not the only winner of the £1,000,000.

That’s right – there’s lots of us. Just look at the subject line:

*** BULK *** Dear E-Mail User

I would like to imagine that there are no Naked Security readers out there who would fall for a scam email like this – but we must recognise that there are people more vulnerable to these sort of con-tricks than ourselves.

Do your bit to make sure that the vulnerable members of your family aren’t fooled into believing they are going to win a fortune in a lottery – if they are duped into believing they will be receiving a windfall they might get themselves into an expensive and upsetting pickle.

Naked Security colleague Paul Ducklin recently spoke at a conference dedicated to keeping others from getting ripped off online – especially seniors already on their retirement income, who can least afford it.

You can read more about this heart-wrenching aspect of cybercriminality in his writeup of the event.

As Duck says in his article, “Friends don’t let friends get scammed online.”