Security Protection – Harry Waldron MVP Rotating Header Image

Android Security – iBanking Mobile Bot uses Facebook web injection techniques

ESET documents the iBanking and Qadars mobile security threats:

http://www.welivesecurity.com/2014/04/16/facebook-webinject-leads-to-ibanking-mobile-bot/

http://www.virusradar.com/en/Win32_Qadars/detail

http://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/

QUOTE:  iBanking is a malicious Android application that when installed on a mobile  phone is able to spy on its user’s communications. This bot has many interesting phone-specific capabilities, including capturing incoming and outgoing SMS messages, redirecting incoming voice calls, and even capturing audio using the device’s microphone. As reported by independent researcher Kafeine, this mobile application was for sale in underground forums and was used by several banking Trojans in an attempt to bypass a mobile two-factor authentication method put forth by some financial institutions. This method, usually called “mobile transaction authorization number” (mTAN) or mToken in the financial realm, is used by several banks throughout the world to authorize banking operations, but is now also increasingly used by popular internet services such as Gmail, Facebook and Twitter.

Through our monitoring of the banking Trojan Win32/Qadars, first discussed on our blog here, we have witnessed a type of webinject that was totally new for us: it uses JavaScript, meant to be injected into Facebook web pages, which tries to lure the user into installing an Android application.  Once the user logs into his Facebook account, the malware tries to inject the following fake security verification screen into the webpage

Comments are closed.