Powerful Russian cybercriminal gangs have begun using sophisticated Androidmalware to expand their attacks σε χρηματοπιστωτικά ιδρύματα. Το εργαλείο, γνωστό ως iBanking, is one of the most expensive malware tools Symantec has identified in the market while its maker has a Software-as-a-Servicebusinessmodel.
Πίσω από το ψευδώνυμο GFF, ο ιδιοκτήτης πουλά πλήρεις subscriptions του λογισμικού, με όλες τις ανανεώσεις και την τεχνική υποστήριξη έως US$5,000. Για όσους επιτιθέμενους δεν μπορούν να δώσουν την αμοιβή της συνδρομής, το GFF είναι προετοιμασμένο να προχωρήσει με μία προσφορά, προσφέροντας ενοικίαση με αντάλλαγμα ένα μερίδιο των κερδών.
IBanking is often disguised as a legitimate social networking, banking application or security solution and is mainly used to overcome out-of-band security measures by violating SMS codes. It can also be used to build portable botnets and carry out follow-up of its victims. IBanking has a number of upgraded features, such as allowing attackers to switch device control between HTTP andSMS, regardless of the availability of internet connectivity.
How does it work
Attackers use socialengineering tactics to trick their victims into downloading and installing iBanking on Android Appliances. Το θύμα συνήθως είναι ήδη μολυσμένο από ένα trojan οικονομικού περιεχομένου στον υπολογιστή του, το οποίο θα δημιουργήσει ένα pop up μήνυμα όταν επισκέπτονται μία τραπεζική ιστοσελίδα, ρωτώντας τον να εγκαταστήσει μία φορητή εφαρμογή ως additional safety measure.
The user's phone and operating system have been requested and then a link will be sent to them to download the fake software via SMS. If the user does not receive the message for any reason, attackers will also provide a direct Link and a QR code as alternatives for installing the software. In some cases the malware is hosted on the attacker's servers. In other cases, it is hosted in reputable online app stores.
IBanking can be adapted to look like official software from a range of banks and social networks. Once installed on the phone, the attacker has almost full access to the device and can intercept voice and SMS communications.
record
IBanking has evolved from a simple SMS eavesdropping into a powerful AndroidTrojan capable of intercepting a wide range of information from a broken device, from voice and SMS communication to voice recording over the phone's microphone.
The main ones characteristics του iBanking περιλαμβάνουν:
- Phone Number Tracking - Number, ICCID, IMEI, IMSI, model, operating system
- Violation of incoming / outgoing SMS messages and upload of information to the controlserver
- Interception of incoming / outgoing phone calls and upload of information to the controller in real time
- Call forwarding to an attacker-controlled number
- Promote contacts in the controlserver
- Recording via the microphone and forwarding it to the controlserver
- Send SMS messages
- Download the device location
- Access to the folder system
- Access the list of programs
- Obstacle in removing the application if administrator permissions are enabled
- Retrieve the phone to factory settings if administrator permissions are enabled
- Obfuscated code
Protection
Symantec has identified the threat as Android.iBanking. Users should be wary of any SMS containing a link urging them to download APKs (Androidapplicationpackage files), especially if they come from unreliable sources. IT administrators should consider blocking all messages that contain links to install an APK.
Some iBankingAPKs have joined trusted marketplaces and users should be aware of this possible way of infection. Users should be cautious about sharing sensitive data over SMS, or even knowing that malware is looking for this data.
