- Jan 24, 2011
- 9,378
A malicious mobile application for Android that offers a range of espionage functions has now gone on sale in underground forums with a new trick: it’s being used by several banking trojans in an attempt to bypass the two-factor authentication method used by a range financial institutions.
Dubbed iBanking, the bot offers a slew of phone-specific capabilities, including capturing incoming and outgoing SMS messages, redirecting incoming voice calls and capturing audio using the device’s microphone. But as reported by independent researcher Kafeine, it’s now also being used to thwart the mobile transaction authorization number (mTAN), or mToken, authentication scheme used by several banks throughout the world, along with Gmail, Facebook and Twitter.
Recently, RSA noted that iBanking’s source code was leaked on underground forums.
“In fact, the web admin panel source was leaked as well as a builder script able to change the required fields to adapt the mobile malware to another target,” said Jean-Ian Boutin, a researcher at ESET, in an analysis. “At this point, we knew it was only a matter of time before we started seeing some ‘creative’ uses of the iBanking application.”
To wit, it’s being used for a type of webinject that was “totally new” for ESET: it uses JavaScript, meant to be injected into Facebook web pages, which tries to lure the user into installing an Android application.
Once the user logs into his or her Facebook account, the malware tries to inject a fake Facebook verification page into the website, asking for the user’s mobile number. Once entered, the victim is then shown a page for SMS verification if it’s an Android phone being used.
The hackers are very helpful: “If the SMS somehow fails to reach the user’s phone, he can also browse directly to the URL on the image with his phone or scan the QR code,” explained Boutin. “There is also an installation guide available that explains how to install the application.”
Since the webinject is available through a well-known webinject coder, this Facebook iBanking app might be distributed by other banking trojans in the future, ESET warned. “In fact, it is quite possible that we will begin to see mobile components targeting other popular services on the web that also enforce two-factor authentication through the user’s mobile,” Boutin said.
Read more: http://www.infosecurity-magazine.co...epurposed-to-thwart-twofactor-authentication/
Dubbed iBanking, the bot offers a slew of phone-specific capabilities, including capturing incoming and outgoing SMS messages, redirecting incoming voice calls and capturing audio using the device’s microphone. But as reported by independent researcher Kafeine, it’s now also being used to thwart the mobile transaction authorization number (mTAN), or mToken, authentication scheme used by several banks throughout the world, along with Gmail, Facebook and Twitter.
Recently, RSA noted that iBanking’s source code was leaked on underground forums.
“In fact, the web admin panel source was leaked as well as a builder script able to change the required fields to adapt the mobile malware to another target,” said Jean-Ian Boutin, a researcher at ESET, in an analysis. “At this point, we knew it was only a matter of time before we started seeing some ‘creative’ uses of the iBanking application.”
To wit, it’s being used for a type of webinject that was “totally new” for ESET: it uses JavaScript, meant to be injected into Facebook web pages, which tries to lure the user into installing an Android application.
Once the user logs into his or her Facebook account, the malware tries to inject a fake Facebook verification page into the website, asking for the user’s mobile number. Once entered, the victim is then shown a page for SMS verification if it’s an Android phone being used.
The hackers are very helpful: “If the SMS somehow fails to reach the user’s phone, he can also browse directly to the URL on the image with his phone or scan the QR code,” explained Boutin. “There is also an installation guide available that explains how to install the application.”
Since the webinject is available through a well-known webinject coder, this Facebook iBanking app might be distributed by other banking trojans in the future, ESET warned. “In fact, it is quite possible that we will begin to see mobile components targeting other popular services on the web that also enforce two-factor authentication through the user’s mobile,” Boutin said.
Read more: http://www.infosecurity-magazine.co...epurposed-to-thwart-twofactor-authentication/
