Powerful Russian cybercrime gangs have begun to use premium Android malware to broaden their attacks on financial institutions. The tool, known as iBanking, is one of the most expensive pieces of malware Symantec has seen on the underground market and its creator has a polished, Software-as-a-Service business model.
Operating under the handle GFF, its owner sells subscriptions to the software, complete with updates and technical support for up to US$5,000. For attackers unable to raise the subscription fee, GFF is also prepared to strike a deal, offering leases in exchange for a share of the profits.
iBanking often masquerades as legitimate social networking, banking or security applications and is mainly being used to defeat out-of-band security measures employed by banks, intercepting one-time passwords sent through SMS. It can also be used to construct mobile botnets and conduct covert surveillance on victims. iBanking has a number of advanced features, such as allowing attackers to toggle between HTTP and SMS control, depending on the availability of an Internet connection.
Its high price tag meant that use was initially confined mainly to well-resourced cybercrime gangs but, with the recent leak of its source code, Symantec has seen a significant increase in activity around iBanking and attacks are likely to grow further in the near future.
How it works
Attackers use social engineering tactics to lure their victims into downloading and installing iBanking on their Android devices. The victim is usually already infected with a financial Trojan on their PC, which will generate a pop up message when they visit a banking or social networking website, asking them to install a mobile app as an additional security measure.
Figure 1. How an iBanking victim is infected
The user is prompted for their phone number and the device operating system and will then be sent a download link for the fake software by SMS. If the user fails to receive the message for any reason, the attackers also provide a direct link and QR code as alternatives for installing the software. In some cases, the malware is hosted on the attackers’ servers. In other cases, it is hosted on reputable third-party marketplaces.
iBanking can be configured to look like official software from a range of different banks and social networks. Once it is installed on the phone, the attacker has almost complete access to the handset and can intercept voice and SMS communications.
iBanking has evolved from a simple SMS stealer into a powerful Android Trojan, capable of stealing a wide range of information from an infected handset, intercepting voice and text communications, and even recording audio through the phone’s microphone.
Early, pre-sale versions were seen in August 2013. They had limited functionality and could simply redirect calls and steal SMS messages. iBanking’s owner, who operates under the handle GFF, has continually refined the malware. By September 2013, it had gone on sale on a major Eastern European underground forum and was already replete with a broad range of functionality.
iBanking can be controlled through both SMS and HTTP. This effectively provides online and offline options for command and control. By default, the malware checks for a valid Internet connection. If one is found, it can be controlled over the Web through HTTP. If no Internet connection is present, it switches to SMS.
iBanking’s main features now include:
- Stealing phone information –phone number, ICCID, IMEI, IMSI, model, operating system
- Intercepting incoming/outgoing SMS messages and uploading them to the control server
- Intercepting incoming/outgoing calls and uploading them to the control server in real time
- Forwarding/redirecting calls to an attacker-controlled number
- Uploading contacts information to the control server
- Recording audio on the microphone and uploading it to the control server
- Sending SMS messages
- Getting the geolocation of the device
- Access to the file system
- Access to the program listing
- Preventing the removal of the application if administrator rights are enabled
- Wiping/restoring phone to the factory settings if administrator rights are enabled
- Obfuscated application code
While iBanking was initially only available from GFF at a premium price of US$5,000, the source code for the malware was leaked in February. Not surprisingly, this resulted in an immediate increase in bot activity relating to iBanking. Symantec predicts that this upsurge in activity will continue as news of the leaked source code spreads through the underground.
However, we believe that the more professional cybercrime groups will continue to pay for the product, allowing them to avail of updates, technical support and new features. The leaked version of iBanking is unsupported and contains an unpatched vulnerability.
GFF continues to develop iBanking and add new features. They have also claimed that they are developing a version for BlackBerry, although this has yet to go on sale.
How one hacker’s search for stolen Bitcoins led to an attack on the BBC and the leak of iBanking’s source code
The source code for iBanking was leaked following a bizarre series of events in which a hacker went on an attacking spree as part of a quest to retrieve 65,000 stolen Bitcoins.
Figure 2. ReVOLVeR uses Twitter to brag about attacking the BBC
It began in December 2013 when hacker ReVOLVeR began investigating the theft of 65,000 Bitcoins from a friend. ReVOLVeR traced the theft to the friend’s mobile phone and found an iBanking infection which they believed had leaked the username and password for their Bitcoin wallet.
ReVOLVeR discovered that the infected phone was communicating with a C&C server, myredskins.net, which they went on to compromise. On this server, they discovered leaked FTP credentials for the BBC’s website. The credentials may have been stolen from an SMS sent to a mobile phone owned by a BBC staff member infected with iBanking. Alternatively, they may have been taken from a third party who had been given access to the server.
ReVOLVeR then used these credentials to log into the BBC server, root the account and begin cracking additional credentials. He posted about his progress on Twitter, updating his followers with screenshots and dumps on SendSpace.
Once finished with the BBC, ReVOLVeR then turned his attention to iBanking and attempted to sell the malware as his own on an underground forum. He did little to cover up the origin of the malware, simply reusing the post GFF had originally used to advertise iBanking on a different forum. Not surprisingly, ReVOLVeR was promptly banned from the forum.
Not long after this, in February, another hacker who uses the handle Rome0 posted the source code to iBanking on a carding forum along with a simple script which could re-configure the iBanking application. Instead of charging for the malware, this version was made available for free. It is unclear whether Rome0 acquired the source code from ReVOLVeR or simply read about his attack on the C&C server and imitated it, but the two incidents appear to be linked.
The release of the source code coincided with a significant uptick in iBanking activity. Despite the availability of a free version, our research suggests that most of the large cybercrime actors are continuing to opt for the paid-for version. They appear to be willing to pay a premium for the updates and support provided by GFF.
The gangs using iBanking
One of the most active iBanking users is the Neverquest crew, a prolific cybercrime group that has infected thousands of victims with a customized version of Trojan.Snifula. This financial Trojan can perform Man-in-the-Middle (MITM) attacks against a range of international banks. The Neverquest crew utilizes iBanking to augment its Snifula attacks, capturing one-time passwords sent to mobile devices for out-of-band authentication and transaction verification. Control numbers (the mobile numbers that the bots can receive instructions from) indicate that the Neverquest crew is likely operating out of Eastern Europe.
Another threat actor utilizing iBanking is Zerafik, who also appears to operate from Eastern Europe. Zerafik operated a command-and-control (C&C) server located in the Netherlands which was subsequently hacked, with details posted publicly on ProtectYourNet. The leak revealed that iBanking installations controlled by this C&C server were configured to target customers of Dutch bank ING, with the app disguised to look like an official app from the company. The iBanking campaigns uncovered by this breach involved multiple segregated botnets that could be controlled through a single panel, allowing for the attacker to control multiple campaigns from a single user interface.
One of the first users of iBanking was an actor known as Ctouma, who has a history of involvement with scam websites and trading in stolen credit card data. Their email address (Ctouma2@googlemail.com) had been used to set up a service which sells stolen credit card information.
Ctouma employed one of the earliest versions of the malware, which wasn’t even for sale at the time. It was disguised as a mobile application for a Thai bank. While Thailand itself is not typically associated with financial fraud attacks, it is possible that these attacks may have served as a test bed for early versions of the malware, in order to test its effectiveness.
Symantec detects this threat as Android.iBanking.
Since iBanking victims are usually tricked into installing the app by a desktop financial Trojan, keeping your desktop antivirus software up to date will help avoid infection.
You should be wary of any SMS messages which contain links to download APKs (Android application package files), especially from non-reputable sources. IT administrators should consider blocking all messages which contain a link to install an APK.
Some iBanking APKs have been seeded onto trusted marketplaces and users should be aware of this as a potential avenue of infection
Users should be aware of sharing sensitive data through SMS, or at least be aware that malicious programs are sniffing this data.