Attackers are targeting Facebook users with Google Android malware in an attempt to beat a common authentication mechanism used by banks.
Known as iBanking, the mobile malware has the capability to steal SMS messages and redirect incoming phone calls. It can also capture audio using the device’s microphone.
The attack doesn’t begin with iBanking however; it begins with the infection of the user’s computer by a banking Trojan calledWin32/Qadars, which researchers at ESET were monitoring. According to ESET researcherJean-Ian Boutin, theTrojan was spotted attempting to get victims to install iBanking.
“As reported by independent researcherKafeine, this mobile application [iBanking] was for sale in underground forums and was used by several banking Trojans in an attempt to bypass a mobile two-factor authentication method put forth by some financial institutions,” blogged Boutin. “This method, usually called “mobile transaction authorization number” (mTAN) or mToken in the financial realm, is used by several banks throughout the world to authorize banking operations, but is now also increasingly used by popular internet services such as Gmail, Facebook and Twitter.”
“Recently, it was revealed by RSA that iBanking’s source code wasleakedon underground forums,” he continued. “In fact, the web admin panel source was leaked as well as a builder script able to change the required fields to adapt the mobile malware to another target. At this point, we knew it was only a matter of time before we started seeing some “creative” uses of the iBanking application.”
He wasn’t wrong.When the user logs into their Facebook account, the malware injects a fake verification page into the site and requests the user’s mobile phone number and asks what mobile operating system the phone uses. If the victim’s phone is running Android, he or she will then be shown a message stating a text message is on the way. The message will ask the user to click on a link.
“If the SMS somehow fails to reach the user’s phone, he can also browse directly to the URL on the image with his phone or scan the QR code,” Boutin noted. “There is also an installation guide available that explains how to install the application.”
In order to download the app, the user needs to configure the settings to allow them to download apps from ‘Unknown sources.’
“The way iBanking is installed on the user’s mobile is quite common, but it is the first time we have seen such a mobile application targeting Facebook users for account fraud,” Boutin blogged. “Although the Facebook two-factor authentication feature has been around forquite a while, it may be that there is a growing number of people using it, thus making account takeover through a regular account credentials grabber ineffective. It might also just be a good way to make the user install iBanking on his phone so that the bot masters can make use of the other spying functionalities of iBanking.”
Since Google has improved their filtering of malicious apps from the Google Play store, Android malware authors have had to get more creative, explained Jeff Davis, vice president of engineering at Quarri Technologies.
“TheiBanking/Webinject scheme uses what is becoming a standard technique: first it infects the user’s PC [and] then it uses this position to inject code into the user’s PC web browser on a trusted site, telling the user that the trusted site wants them to ‘sideload’ an Android app, ostensibly for security reasons,” Davis said. “The attack even includes instructions on how to change their Android settings to allow sideloading, which should be a big red flag but apparently isn’t.”
Brian Prince is a Contributing Writer for SecurityWeek.Previous Columns by Brian Prince:Attackers Use Facebook to Target Android Users GAO Report Knocks SEC for Cybersecurity Failings Microsoft Updates Threat Modeling Tool Oracle Releases Massive Security UpdateSQL Injection Breaches Take Months to Uncover and Fix: Survey
Tags: NEWS INDUSTRY