Be careful, a new malicious Android app is lurking

Posted on Apr 18 2014 - 10:14pm by IBC News

iBanking is a malicious Android application that when installed on a mobile  phone is able to spy on its user’s communications. Eset reports that this bot has many interesting phone-specific capabilities, including capturing incoming and outgoing SMS messages, redirecting incoming voice calls, and even capturing audio using the device’s microphone. As reported by independent researcher Kafeine, this mobile application was for sale in underground forums and was used by several banking Trojans in an attempt to bypass a mobile two-factor authentication method put forth by some financial institutions. This method, usually called “mobile transaction authorization number†(mTAN) or mToken in the financial realm, is used by several banks throughout the world to authorize banking operations, but is now also increasingly used by popular internet services such as Gmail, Facebook and Twitter.

Recently, it was revealed by RSA that iBanking’s source code was leaked on underground forums. In fact, the web admin panel source was leaked as well as a builder script able to change the required fields to adapt the mobile malware to another target. At this point, we knew it was only a matter of time before we started seeing some “creative†uses of the iBanking application.


iBanking, detected by ESET as Android/Spy.Agent.AF, is an application that showcases complex features when compared with other earlier mobile banking malware, such as Perkele. It can be used in conjunction with any malware able to inject code into a webpage and is generally used to redirect incoming SMS messages to bypass two-factor authentication.

As iBanking technical analysis has already been done in the past, we did not study thoroughly this sample. We will keep this analysis, if relevant, for a future blog post.

As stated in our previous blog, Perkele’s mobile component has already been used as part of one of Win32/Qadars’s campaigns in an effort to bypass two-factor authentication mechanisms put forth by banks. Now we see that it is also using iBanking. This does not come as a surprise, as we believe that all webinjects deployed by the Win32/Qadars operators are bought in underground forums; thus they are not tied to any particular platforms. On the other hand, since this webinject is available through a well-known webinject coder, this Facebook iBanking app might be distributed by other banking Trojans in the future. In fact, it is quite possible that we will begin to see mobile components targeting other popular services on the web that also enforce two-factor authentication through the user’s mobile.

ZitMo, SpitMo, Citmo, Perkele and iBanking are all mobile components that have been used in the past by banking Trojans. The latter two were not bound to specific desktop malware and were for sale on various underground forums. This commoditization of mobile banking malware has given several smaller banking Trojans the means to try to bypass some two-factor authentication measures put in place by banks. Now that mainstream web services such as Facebook are also targeted by mobile malware, it will be interesting to see whether other types of malware will start using webinjects. Will we see content injection functionalities and mobile malware used in non-financial types of malware so that they can take over accounts from popular web services? Time will tell, but because of the commoditization of mobile malware and the associated code source leaks, this is a distinct possibility.