iBanking is the name of a mobile banking Trojan app distributed through HTML injection attacks on banking sites. iBanking deceives victims impersonating itself as a ‘Security App‘ for Android, we have spoken about it early 2014 when the source code of the mobile malware has been leaked online through an underground forum.
iBanking mobile banking Trojan is available for sale in the underground for $5,000 according the RSA’s FraudAction Group, the malware is used to avoid the security mechanisms implemented by the banking websites, including two-factor authentication.
iBanking could be commanded via SMS or over HTTP beaconing C&C server every pre-defined interval, then pull and execute the command if one is awaiting it. The bot implements the following features:
The above verification page that was designed to request victims, their mobile number in order to verify the Facebook account authenticity. In case the SMS fails to reach the user’s mobile, one of the successive pages was designed to request victim to download an Android app from an URL displayed or reading a QR code proposed on the screen,.
“iBanking, detected by ESET as Android/Spy.Agent.AF, is an application that showcases complex features when compared with other earlier mobile banking malware, such as Perkele. It can be used in conjunction with any malware able to inject code into a webpage and is generally used to redirect incoming SMS messages to bypass two-factor authentication.” reported ESET.