Attackers are targeting Facebook users with Google Android malware in an attempt to beat a common authentication mechanism used by banks.
Known as iBanking, the mobile malware has the capability to steal SMS messages and redirect incoming phone calls. It can also capture audio using the device’s microphone.
The attack doesn’t begin with iBanking however; it begins with the infection of the user’s computer by a banking Trojan called Win32/Qadars, which researchers at ESET were monitoring. According to ESET researcher Jean-Ian Boutin, the Trojan was spotted attempting to get victims to install iBanking.
“As reported by independent researcher Kafeine, this mobile application [iBanking] was for sale in underground forums and was used by several banking Trojans in an attempt to bypass a mobile two-factor authentication method put forth by some financial institutions,” blogged Boutin. “This method, usually called “mobile transaction authorization number” (mTAN) or mToken in the financial realm, is used by several banks throughout the world to authorize banking operations, but is now also increasingly used by popular internet services such as Gmail, Facebook and Twitter.”
“Recently, it was revealed by RSA that iBanking’s source code was leaked on underground forums,” he continued. “In fact, the web admin panel source was leaked as well as a builder script able to change the required fields to adapt the mobile malware to another target. At this point, we knew it was only a matter of time before we started seeing some “creative” uses of the iBanking application.”
He wasn’t wrong. When the user logs into their Facebook account, the malware injects a fake verification page into the site and requests the user’s mobile phone number and asks what mobile operating system the phone uses. If the victim’s phone is running Android, he or she will then be shown a message stating a text message is on the way. The message will ask the user to click on a link.
In order to download the app, the user needs to configure the settings to allow them to download apps from ‘Unknown sources.’
“The way iBanking is installed on the user’s mobile is quite common, but it is the first time we have seen such a mobile application targeting Facebook users for account fraud,” Boutin blogged. “Although the Facebook two-factor authentication feature has been around for quite a while, it may be that there is a growing number of people using it, thus making account takeover through a regular account credentials grabber ineffective. It might also just be a good way to make the user install iBanking on his phone so that the bot masters can make use of the other spying functionalities of iBanking.”
Since Google has improved their filtering of malicious apps from the Google Play store, Android malware authors have had to get more creative, explained Jeff Davis, vice president of engineering at Quarri Technologies.
“The iBanking/Webinject scheme uses what is becoming a standard technique: first it infects the user’s PC [and] then it uses this position to inject code into the user’s PC web browser on a trusted site, telling the user that the trusted site wants them to ‘sideload’ an Android app, ostensibly for security reasons,” Davis said. “The attack even includes instructions on how to change their Android settings to allow sideloading, which should be a big red flag but apparently isn’t.”