“RSA researchers have recently traced a forum post leaking the iBanking mobile bot control panel source-code. Apart from the server-side source-code, the leaked files also include a builder (a bash script) that can un-pack the existing iBanking APK file and re-pack it with different configurations, essentially providing fraudsters with the means to create their own unique application.
iBanking mobile bot is a relative new-comer to the mobile malware scene, and has been available for sale in the underground for $5,000 since late last year. We first saw it spread through HTML injection attacks on banking sites, social engineering victims into downloading a so-called “security app” for their Android devices.” explained in the blog post the Head of knowledge delivery and business development for RSA’s FraudAction Group, Daniel Cohen.
It’s clear that the availability of iBanking mobile bot source code will give the opportunity for cybercriminals to build customized versions of the malware in the future.
Daniel Cohen remarked that the proposal for mobile banking trojan source code is a new for the cyber criminal ecosystem despite the proposal in the underground marketplace is very articulate.
The bot could be commanded via SMS or over HTTP beaconing C&C server every pre-defined interval, then pull and execute the command if one is awaiting it. The app implements the following features:
“Apart from the server-side source-code, the leaked files also include a builder that can un-pack the existing iBanking APK file and re-pack it with different configurations, essentially providing fraudsters with the means to create their own unique application,” said Cohen.
“The malware’s ability to capture SMS messages and audio recordings, as well as divert voice calls makes step-up authentication all the more challenging as fraudsters gain more control over the OOB device. This highlights the need for stronger authentication solutions capable of validating users’ identities using multiple factors including biometric solutions.”