Leaked Source Code Causes Explosion In Popularity Of ‘iBanking’ Malware

Russian cyber criminals have started using premium Android malware with an extensive set of features after a free version of the code appeared online, warns Symantec.

iBanking, first spotted in 2013, used to retail for $5,000 and was available from a single underground vendor known only as ‘GFF’. But the source code was leaked in February, and the malware can now be deployed by anyone. Symantec predicts that the upsurge in activity will continue as the news of a free version spreads.

Once installed, iBanking gives the attacker the complete control over the handset, allowing them to intercept calls, send SMS to premium numbers and steal financial information.

Earlier this month, F-Secure revealed that 99 percent of the mobile malware discovered since February targets Android. The company noted that it was possible for Android malware to reach the official Google Play store, with large numbers of users downloading malicious apps before Google could remove them from the marketplace.

Intellectual property

According to Symantec, iBanking is one of the most expensive pieces of malware on the market, especially popular among Eastern European cybercrime gangs.  It can be configured to look like the official apps from a range of different banks and social networks.

Once iBanking is installed on the device using social engineering techniques, the attacker gains almost complete control over it. They can intercept voice and SMS communications, including those from banks, as well as record audio from the microphone, read contacts, forward or redirect calls and access the file system.

This strain of malware can be controlled online, or through SMS if the Internet connection is not available. iBanking can also prevent the owner from deleting certain apps or restoring handset to the factory settings.

Symantec assumes that the malware code was discovered accidentally by a Russian hacker named ‘ReVOLVeR’ on a Command and Control sever which also contained administrator credentials for the BBC website. A hacker called ‘Rome0’ then adopted the code and posted it online for free.

Researchers believe that the more professional cybercrime groups will continue to pay for iBanking to continue accessing updates, technical support and new features. The leaked version of iBanking is unsupported and contains an unpatched vulnerability.

Symantec advises users to keep their desktop antivirus updated in order to stop iBanking from piggybacking on top of known Trojans. It also warns against clicking any links to download APKs that arrive via SMS.

Unfortunately, some iBanking APKs could make their way onto trusted app marketplaces and users should be aware of this as a potential avenue of infection.

What do you know about Android? Take our quiz!