iBanking Android malware grows in power

News by Tim Ring

Underlining the growing threat of mobile malware, security researchers revealed this week that powerful Russian cybercrime gangs are using the iBanking Android Trojan which is described as commercial quality and "one of the most expensive pieces of malware seen on the underground market".

iBanking's creator, ‘GFF', is selling subscriptions to the software, including tech support, for almost £3,000 (US $5,000), say Symantec researchers in a 20 May blog post.

iBanking, which was first seen in August 2013, “has evolved from a simple SMS stealer into a powerful Android Trojan,” Symantec says. It relies on social engineering to lure victims to download it onto their devices. It is then used to intercept one-time banking passwords sent through SMS, or to construct mobile botnets and conduct covert surveillance on victims.

“iBanking can be configured to look like official software from a range of different banks and social networks,” the researchers say.

They warn that GFF is continuing to upgrade the ‘premium' package which can now steal phone ID and location data, intercept text messages and voice calls, forward calls to an attacker-controlled number, and protect itself by concealing its application code and preventing its removal if admin rights are enabled.

GFF has also claimed to be developing a version for BlackBerry, but Symantec says this is not yet on sale.

iBanking is currently believed to be used by Eastern European gangs, including the Neverquest crew, described by the researchers as “a prolific cybercrime group that has infected thousands of victims with a customised version of Trojan.Snifula”.

Symantec said threat actor Zerafik, who also appears to operate from Eastern Europe, has used it to target customers of Dutch bank ING and another user, Ctouma, has a history of involvement with scam websites and trading in stolen credit card data.

Despite the fact that iBanking's source code was leaked by a rival hacker, Rome0, in February, the researchers say: “We believe that the more professional cybercrime groups will continue to pay for the product, allowing them to avail of updates, technical support and new features. The leaked version is unsupported and contains an unpatched vulnerability.”

But they also warn: “With the recent leak of its source code, Symantec has seen a significant increase in activity around iBanking and attacks are likely to grow further in the near future.”

A Symantec spokesperson was unable to give more information on the scale of recent attacks and the victims' details or locations.

Symantec's warning of iBanking's growing threat was backed by RSA's Daniel Cohen in a parallel 20 May blog post. Cohen highlighted “several new features” but said “the most intriguing is the use of self-protection mechanism such as AES encryption, code obfuscation and anti-SDK/VM”.

He added: “Being aware of security researchers and employing anti-analysis mechanisms has been a standard among PC-malware developers for quite a while. iBanking shows that mobile malware developers are becoming aware of the necessity to protect their bots against analysis, and indicates a possible new trend in this evolving mobile malware space.”

Independent security expert Sarb Sembhi, consultancy services director at Incoming Thought and a leading light in the ISACA security professionals organisation, said that iBanking shows the criminals are a long way ahead in their ‘cat-and-mouse' game with security professionals in the mobile area.

Sembhi told SCMagazineUK.com: “The developments are very intricate and I think very clever. These guys really know what they're doing on Android and have created self-protection mechanisms that will make it harder to detect the malware.

“It's another reminder that in the cat-and-mouse game we are playing catch-up. This is a great illustration of how far behind security vendors and security professionals are in the development of security on mobile devices.

“It shows how far it is possible to go for the criminal gangs, where they can see this is where the future is and they are now preparing for that future. We, security professionals, have not prepared for that future yet it seems and we're going to have to up the game.”

Sembhi added: “Companies like Apple, Google, BlackBerry, Microsoft really do need to look at what mobile applications are getting through into their app markets. They have a responsibility to at least do some anti-malware testing regardless of whether the application is free or it's paid for.”

Matt Hillman, head of research practice at global IT security firm MWR InfoSecurity, agreed that “security professionals should be keeping up-to-date with analysis techniques for Android malware, so obfuscation and similar techniques do not prevent timely analysis”.

He told SC UK via email: “The industry should continue to research and improve the Android security model to make it harder for malware to succeed. It is also important that users are educated on how to spot when they are being tricked into doing things that could infect their devices.”

Hillman added: “iBanking is significant because it is developed along the lines of professionally developed commercial software.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews