Leaked Source Code Causes Explosion In Popularity Of ‘iBanking’ Malware

Russian cyber criminals have started using premium Android malware with an extensive set of features after a free version of the code appeared online, warns Symantec.

iBanking, first spotted in 2013, used to retail for $5,000 and was available from a single underground vendor known only as ‘GFF’. But the source code was leaked in February, and the malware can now be deployed by anyone. Symantec predicts that the upsurge in activity will continue as the news of a free version spreads.

Once installed, iBanking gives the attacker the complete control over the handset, allowing them to intercept calls, send SMS to premium numbers and steal financial information.

Earlier this month, F-Secure revealed that 99 percent of the mobile malware discovered since February targets Android. The company noted that it was possible for Android malware to reach the official Google Play store, with large numbers of users downloading malicious apps before Google could remove them from the marketplace.

Intellectual property

According to Symantec, iBanking is one of the most expensive pieces of malware on the market, especially popular among Eastern European cybercrime gangs.  It can be configured to look like the official apps from a range of different banks and social networks.

Once iBanking is installed on the device using social engineering techniques, the attacker gains almost complete control over it. They can intercept voice and SMS communications, including those from banks, as well as record audio from the microphone, read contacts, forward or redirect calls and access the file system.

This strain of malware can be controlled online, or through SMS if the Internet connection is not available. iBanking can also prevent the owner from deleting certain apps or restoring handset to the factory settings.

Symantec assumes that the malware code was discovered accidentally by a Russian hacker named ‘ReVOLVeR’ on a Command and Control sever which also contained administrator credentials for the BBC website. A hacker called ‘Rome0’ then adopted the code and posted it online for free.

Researchers believe that the more professional cybercrime groups will continue to pay for iBanking to continue accessing updates, technical support and new features. The leaked version of iBanking is unsupported and contains an unpatched vulnerability.

Symantec advises users to keep their desktop antivirus updated in order to stop iBanking from piggybacking on top of known Trojans. It also warns against clicking any links to download APKs that arrive via SMS.

Unfortunately, some iBanking APKs could make their way onto trusted app marketplaces and users should be aware of this as a potential avenue of infection.

What do you know about Android? Take our quiz!

Max Smolaks

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope. If you find him looking lost on the streets of London, feed him coffee and sugar.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

11 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

14 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

15 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

16 hours ago