iBanking Mobile Bot Source Code Leaked

Categories: IT Security

RSA researchers have recently traced a forum post leaking the iBanking mobile bot control panel source-code. Apart from the server-side source-code, the leaked files also include a builder (a bash[1] script) that can un-pack the existing iBanking APK file and re-pack it with different configurations, essentially providing fraudsters with the means to create their own unique application.

iBanking mobile bot is a relative new-comer to the mobile malware scene, and has been available for sale in the underground for $5,000 since late last year. We first saw it spread through HTML injection attacks on banking sites, social engineering victims into downloading a so called “security app” for their Android devices.

The malware goes beyond being yet another SMS-sniffer app, offering features such as call redirecting, audio recording (using the device’s mic) and data stealing. The malware is an example of the ongoing developments in the mobile malware space and we are now seeing the next generation of malicious apps being developed and commercialized in the underground, boasting web-based control panels and packing more data-stealing features.

Untitled

Figure 1: Forum post leaking the source code

 What is the iBanking App?

In order to deceive its victims the iBanking app disguises itself in different ways. During our analysis we observed two main graphic templates: one made use of its target’s logos and monikers (in our analysis a well-known financial institution), and in another it masqueraded as a security app. Furthermore, during the installation process the app attempts to social engineer the user into providing it with administrative rights, making its removal much more difficult.

Untitled

Figure 2: Installation process requesting permissions to use the phone, SMS and audio services;
Figure 3: Attempting to uninstall the app after it has received administrative privileges.

The bot can be controlled either over HTTP or via SMS. Over HTTP, the app will beacon its control server every pre-defined interval, then pull and execute the command if one is awaiting it. The app provides its controller with the following capabilities:

  • Capture all incoming/outgoing SMS messages
  • Redirect all incoming voice calls to a different pre-defined number
  • In/out/missed call-list capturing
  • Audio capturing via device’s microphone
  • Phone book capturing
  • URL status: the mobile device will visit a provided URL, returning its status (possibly for click-fraud schemes.)

When attempting to communicate to its control server via HTTP, the bot will send up-to-date information about the device. If it fails to communicate over HTTP it will alert its controller by SMS to the pre-defined control number. The control number is the number used by the fraudster to control his bots. Any SMS received at the bot originating from the control number will be parsed, and the command executed.

Untitled

Figure 4: HTTP-based communication delivering stolen SMS messages from the device to the control server.

The leaked files do not include the source code of the app itself, but the provided bash script gives fraudsters with the means to customize the app’s configuration including the control server’s address, the control number, the app’s characteristics (such as name), and the graphic template that should be used. Although this limits the app’s further development by other fraudsters, it is still sufficient to enable fraudsters to launch their own custom attacks.

Revealing the iBanking’s Web-Based Control Panel

The web-based control panel, whose source code was completely leaked, is programmed to aid botmasters with control over the infected mobile devices. The panel provides the controller with an overview of the botnet, and affords a one-click interface to send commands to infected devices over HTTP.

Untitled

Figure 5: The admin panel providing an overview of the bots statuses and a one-click command interface.

What’s interesting about the control panel is that it is capable of hosting several “sandboxed” campaigns (called on the panel “projects”). This could support an iBanking-as-a-Service model in which the panel owner could offer it as a service to several fraudsters, each only having access to their attack campaign.

As can be seen in the image above, the tabs (at the top part) provide access to information regarding the currently selected device including:

  • SMS list: SMS messages bearing One Time Password (OTP) codes received.
  • All SMS list: all SMS messages sent and received.
  • All call list: all call logs (inbound, outbound and missed).
  • Sounds: lists all audio recording, using the device’s mic, that were stolen from the device. The audio is stored on the server in 3gp format.
  • Contact list: the list of contacts captured from the selected device
  • URL report: provides a list of URLs and their status code as tested by, and returned from the device

Looking Ahead

With the apparent code leak, Trojan botmasters are now in a better position to incorporate this advanced mobile counterpart in their PC-based attacks, affording them control over their victims’ smartphones. What’s more, the panel’s “sandboxing” feature, supporting multiple unrelated attack campaigns (or mobile botnets), may encourage mobile-botnet-as-a-service offerings in the underground marketplace.

The malware’s ability to capture  SMS messages and audio recordings, as well as divert voice calls makes step-up authentication all the more challenging as fraudsters gain more control over the OOB device.  This highlights the need for stronger authentication solutions capable of validating users’ identities using multiple factors including biometric solutions. The latter will also assist in reducing the dependency on conscious human intervention making social engineering attempts void.

We continue to monitor the developments in this space.

The research was done in collaboration with RSA FirstWatch researcher Lior Ben-Porat.  Lior is responsible for monitoring the cybercrime malware ecosystem and investigating emerging trends. 

 


[1] Bash is a command processor that allows a user to enter commands which execute actions. Bash can also read commands from a script file.

Daniel Cohen
Author:

Daniel Cohen is Head of Knowledge Delivery and Business Development for RSA’s FraudAction Group. In his role as Head of Knowledge Delivery, Daniel and his team are responsible for gathering, analyzing and reporting on intelligence findings recovered by the different cyber teams operating within the group. This intersection of data –human-based intelligence, malware research, and anti-phishing operations – provides Daniel with unique visibility into the ever-changing cyber-crime landscape. Coupled with his industry insight as Head of Business Development, Daniel has a wealth of experience in working with leading companies worldwide in strategizing their security needs.