Leaked Source Code Causes Explosion In Popularity Of ‘iBanking’ Malware

Russian cyber criminals have started using premium Android malware with an extensive set of features after a free version of the code appeared online, warns Symantec.

iBanking, first spotted in 2013, used to retail for $5,000 and was available from a single underground vendor known only as ‘GFF’. But the source code was leaked in February, and the malware can now be deployed by anyone. Symantec predicts that the upsurge in activity will continue as the news of a free version spreads.

Once installed, iBanking gives the attacker the complete control over the handset, allowing them to intercept calls, send SMS to premium numbers and steal financial information.

Earlier this month, F-Secure revealed that 99 percent of the mobile malware discovered since February targets Android. The company noted that it was possible for Android malware to reach the official Google Play store, with large numbers of users downloading malicious apps before Google could remove them from the marketplace.

Intellectual property

According to Symantec, iBanking is one of the most expensive pieces of malware on the market, especially popular among Eastern European cybercrime gangs.  It can be configured to look like the official apps from a range of different banks and social networks.

Once iBanking is installed on the device using social engineering techniques, the attacker gains almost complete control over it. They can intercept voice and SMS communications, including those from banks, as well as record audio from the microphone, read contacts, forward or redirect calls and access the file system.

This strain of malware can be controlled online, or through SMS if the Internet connection is not available. iBanking can also prevent the owner from deleting certain apps or restoring handset to the factory settings.

Symantec assumes that the malware code was discovered accidentally by a Russian hacker named ‘ReVOLVeR’ on a Command and Control sever which also contained administrator credentials for the BBC website. A hacker called ‘Rome0’ then adopted the code and posted it online for free.

Researchers believe that the more professional cybercrime groups will continue to pay for iBanking to continue accessing updates, technical support and new features. The leaked version of iBanking is unsupported and contains an unpatched vulnerability.

Symantec advises users to keep their desktop antivirus updated in order to stop iBanking from piggybacking on top of known Trojans. It also warns against clicking any links to download APKs that arrive via SMS.

Unfortunately, some iBanking APKs could make their way onto trusted app marketplaces and users should be aware of this as a potential avenue of infection.

What do you know about Android? Take our quiz!

Max Smolaks

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope. If you find him looking lost on the streets of London, feed him coffee and sugar.

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago