RSA researchers have recently traced a forum post leaking the iBanking mobile bot control panel source-code. Apart from the server-side source-code, the leaked files also include a builder (a bash script) that can un-pack the existing iBanking APK file and re-pack it with different configurations, essentially providing fraudsters with the means to create their own unique application.
iBanking mobile bot is a relative new-comer to the mobile malware scene, and has been available for sale in the underground for $5,000 since late last year. We first saw it spread through HTML injection attacks on banking sites, social engineering victims into downloading a so called “security app” for their Android devices.
The malware goes beyond being yet another SMS-sniffer app, offering features such as call redirecting, audio recording (using the device’s mic) and data stealing. The malware is an example of the ongoing developments in the mobile malware space and we are now seeing the next generation of malicious apps being developed and commercialized in the underground, boasting web-based control panels and packing more data-stealing features.
What is the iBanking App?
In order to deceive its victims the iBanking app disguises itself in different ways. During our analysis we observed two main graphic templates: one made use of its target’s logos and monikers (in our analysis a well-known financial institution), and in another it masqueraded as a security app. Furthermore, during the installation process the app attempts to social engineer the user into providing it with administrative rights, making its removal much more difficult.
The bot can be controlled either over HTTP or via SMS. Over HTTP, the app will beacon its control server every pre-defined interval, then pull and execute the command if one is awaiting it. The app provides its controller with the following capabilities:
- Capture all incoming/outgoing SMS messages
- Redirect all incoming voice calls to a different pre-defined number
- In/out/missed call-list capturing
- Audio capturing via device’s microphone
- Phone book capturing
- URL status: the mobile device will visit a provided URL, returning its status (possibly for click-fraud schemes.)
When attempting to communicate to its control server via HTTP, the bot will send up-to-date information about the device. If it fails to communicate over HTTP it will alert its controller by SMS to the pre-defined control number. The control number is the number used by the fraudster to control his bots. Any SMS received at the bot originating from the control number will be parsed, and the command executed.
Revealing the iBanking’s Web-Based Control Panel
The web-based control panel, whose source code was completely leaked, is programmed to aid botmasters with control over the infected mobile devices. The panel provides the controller with an overview of the botnet, and affords a one-click interface to send commands to infected devices over HTTP.
What’s interesting about the control panel is that it is capable of hosting several “sandboxed” campaigns (called on the panel “projects”). This could support an iBanking-as-a-Service model in which the panel owner could offer it as a service to several fraudsters, each only having access to their attack campaign.
As can be seen in the image above, the tabs (at the top part) provide access to information regarding the currently selected device including:
- SMS list: SMS messages bearing One Time Password (OTP) codes received.
- All SMS list: all SMS messages sent and received.
- All call list: all call logs (inbound, outbound and missed).
- Sounds: lists all audio recording, using the device’s mic, that were stolen from the device. The audio is stored on the server in 3gp format.
- Contact list: the list of contacts captured from the selected device
- URL report: provides a list of URLs and their status code as tested by, and returned from the device
With the apparent code leak, Trojan botmasters are now in a better position to incorporate this advanced mobile counterpart in their PC-based attacks, affording them control over their victims’ smartphones. What’s more, the panel’s “sandboxing” feature, supporting multiple unrelated attack campaigns (or mobile botnets), may encourage mobile-botnet-as-a-service offerings in the underground marketplace.
The malware’s ability to capture SMS messages and audio recordings, as well as divert voice calls makes step-up authentication all the more challenging as fraudsters gain more control over the OOB device. This highlights the need for stronger authentication solutions capable of validating users’ identities using multiple factors including biometric solutions. The latter will also assist in reducing the dependency on conscious human intervention making social engineering attempts void.
We continue to monitor the developments in this space.
The research was done in collaboration with RSA FirstWatch researcher Lior Ben-Porat. Lior is responsible for monitoring the cybercrime malware ecosystem and investigating emerging trends.
 Bash is a command processor that allows a user to enter commands which execute actions. Bash can also read commands from a script file.