Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Attackers Use Facebook to Target Android Users

Attackers are targeting Facebook users with Google Android malware in an attempt to beat a common authentication mechanism used by banks. 

Known as iBanking, the mobile malware has the capability to steal SMS messages and redirect incoming phone calls. It can also capture audio using the device’s microphone.

Attackers are targeting Facebook users with Google Android malware in an attempt to beat a common authentication mechanism used by banks. 

Known as iBanking, the mobile malware has the capability to steal SMS messages and redirect incoming phone calls. It can also capture audio using the device’s microphone.

The attack doesn’t begin with iBanking however; it begins with the infection of the user’s computer by a banking Trojan called Win32/Qadars, which researchers at ESET were monitoring. According to ESET researcher Jean-Ian Boutin, the Trojan was spotted attempting to get victims to install iBanking.

“As reported by independent researcher Kafeine, this mobile application [iBanking] was for sale in underground forums and was used by several banking Trojans in an attempt to bypass a mobile two-factor authentication method put forth by some financial institutions,” blogged Boutin. “This method, usually called “mobile transaction authorization number” (mTAN) or mToken in the financial realm, is used by several banks throughout the world to authorize banking operations, but is now also increasingly used by popular internet services such as Gmail, Facebook and Twitter.”

“Recently, it was revealed by RSA that iBanking’s source code was leaked on underground forums,” he continued. “In fact, the web admin panel source was leaked as well as a builder script able to change the required fields to adapt the mobile malware to another target. At this point, we knew it was only a matter of time before we started seeing some “creative” uses of the iBanking application.”

He wasn’t wrong. When the user logs into their Facebook account, the malware injects a fake verification page into the site and requests the user’s mobile phone number and asks what mobile operating system the phone uses. If the victim’s phone is running Android, he or she will then be shown a message stating a text message is on the way. The message will ask the user to click on a link.

Advertisement. Scroll to continue reading.
“If the SMS somehow fails to reach the user’s phone, he can also browse directly to the URL on the image with his phone or scan the QR code,” Boutin noted. “There is also an installation guide available that explains how to install the application.”

In order to download the app, the user needs to configure the settings to allow them to download apps from ‘Unknown sources.’

“The way iBanking is installed on the user’s mobile is quite common, but it is the first time we have seen such a mobile application targeting Facebook users for account fraud,” Boutin blogged. “Although the Facebook two-factor authentication feature has been around for quite a while, it may be that there is a growing number of people using it, thus making account takeover through a regular account credentials grabber ineffective. It might also just be a good way to make the user install iBanking on his phone so that the bot masters can make use of the other spying functionalities of iBanking.”

Since Google has improved their filtering of malicious apps from the Google Play store, Android malware authors have had to get more creative, explained Jeff Davis, vice president of engineering at Quarri Technologies.

“The iBanking/Webinject scheme uses what is becoming a standard technique: first it infects the user’s PC [and] then it uses this position to inject code into the user’s PC web browser on a trusted site, telling the user that the trusted site wants them to ‘sideload’ an Android app, ostensibly for security reasons,” Davis said. “The attack even includes instructions on how to change their Android settings to allow sideloading, which should be a big red flag but apparently isn’t.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.