page 1R S A M O N T H LY F R A U D R E P O R T

F R A U D R E P O R T

iBANKING MOBILE BOT SOURCE CODE LEAKED

February 2014

iBANKING MOBILE BOT SOURCE CODE LEAKED

RSA researchers have recently traced a forum post leaking the iBanking mobile bot

control panel source code. Apart from the server-side source code, the leaked files also

include a builder (a bash script) that can unpack the existing iBanking APK file and

re-pack it with different configurations, essentially providing fraudsters with the means to

create their own unique application.

The iBanking mobile bot is a relative newcomer to the mobile malware scene, and has

been available for sale in the underground for $5,000 since late last year. RSA first saw it

spread through HTML injection attacks on banking sites, social engineering victims into

downloading a malicious app disguised as a “security app” for their Android devices.

The malware goes beyond being yet another SMS-sniffer app, offering features such as

call redirecting, audio recording (using the device’s mic) and data stealing. The malware

is an example of the ongoing developments in the mobile malware space, and we are

now seeing the next generation of malicious apps being developed and commercialized

in the underground, boasting web-based control panels and packing more data-stealing

features.

page 2R S A M O N T H LY F R A U D R E P O R T

In order to deceive its victims, the iBanking app disguises itself in different ways. During

our analysis, we observed two main graphic templates: one made use of its target’s logos

and monikers (in our analysis a well-known financial institution), and in another, it

masqueraded as a security app. Furthermore, during the installation process, the app

attempts to social engineer the user into providing it with administrative rights, making

its removal much more difficult.

Figure 1

Forum post leaking the source code

Figure 2

Installation process requesting

permissions to use the phone,

SMS and audio services;

Figure 3

Attempting to uninstall the app after it

has received administrative privileges.

page 3R S A M O N T H LY F R A U D R E P O R T

The bot can be controlled either over HTTP or via SMS. Over HTTP, the app will beacon its

control server every pre-defined interval, then pull and execute the command if one is

awaiting it. The app provides its controller with the following capabilities:

– Capture all incoming/outgoing SMS messages

– Redirect all incoming voice calls to a different pre-defined number

– In/out/missed call-list capturing

– Audio capturing via device’s microphone

– Phone book capturing

– URL status: the mobile device will visit a provided URL, returning its status (possibly for

click-fraud schemes.)

When attempting to communicate to its control server via HTTP, the bot will send up-to-

date information about the device. If it fails to communicate over HTTP, it will alert its

controller by SMS to the pre-defined control number. The control number is the number

used by the fraudster to control his bots. Any SMS received at the bot originating from the

control number will be parsed, and the command executed.

The leaked files do not include the source code of the app itself, but the provided bash

script gives fraudsters the means to customize the app’s configuration including the

control server’s address, the control number, the app’s characteristics (such as name),

and the graphic template that should be used. Although this limits the app’s further

development by other fraudsters, it is still sufficient to enable fraudsters to launch their

own custom attacks.

Figure 4

HTTP-based communication delivering

stolen SMS messages from the device

to the control server.

page 4R S A M O N T H LY F R A U D R E P O R T

REVEALING THE iBANKING WEB-BASED CONTROL PANEL

The web-based control panel, whose source code was completely leaked, is programmed

to aid botmasters with control over the infected mobile devices. The panel provides the

controller with an overview of the botnet, and affords a one-click interface to send

commands to infected devices over HTTP.

What’s interesting about the control panel is that it is capable of hosting several

“sandboxed” campaigns (called on the panel “projects”). This could support an

iBanking-as-a-Service model in which the panel owner could offer it as a service to

several fraudsters, each only having access to their own attack campaign.

The controller is able to access information regarding the currently selected device

including:

– SMS list: SMS messages bearing one-time password (OTP) codes received.

– All SMS list: all SMS messages sent and received.

– All call list: all call logs (inbound, outbound and missed).

– Sounds: lists all audio recording, using the device’s mic, that were stolen from the

device. The audio is stored on the server in 3gp format.

– Contact list: the list of contacts captured from the selected device

– URL report: provides a list of URLs and their status code as tested by, and returned

from the device

LOOKING AHEAD

With the apparent code leak, Trojan botmasters are now in a better position to

incorporate this advanced mobile counterpart in their PC-based attacks, affording them

control over their victims’ smartphones. What’s more, the panel’s “sandboxing” feature,

supporting multiple unrelated attack campaigns (or mobile botnets), may encourage

mobile-botnet-as-a-service offerings in the underground marketplace.

The malware’s ability to capture SMS messages and audio recordings, as well as divert

voice calls, makes step-up authentication all the more challenging as fraudsters gain

more control over the OOB device. This highlights the need for stronger authentication

solutions capable of validating users’ identities using multiple factors including biometric

solutions. The latter will also assist in reducing the dependency on conscious human

intervention making social engineering attempts void.

We will continue to monitor the developments in this space.

page 5R S A M O N T H LY F R A U D R E P O R T

Phishing Attacks per Month

RSA identified 29,034 phishing attacks in

January, marking a 21% decrease from

December’s attack numbers. This is also

4% lower than the number of attacks a

year ago.

US Bank Types Attacked

Nationwide banks were the prime target for

phishing attacks in January with 62% of

attack volume, while credit unions saw a

significant increase – from 5% to 16% of

total volume.

Top Countries by Attack Volume

The U.S. remained the most targeted

country in January with an overwhelming

81% of total phishing volume, followed by

the UK, the Netherlands, Canada, and

South Africa.

29,034 Attacks

Credit Unions

Regional

National

81%

4%

2%

2%

Netherlands

South Africa

UK

U.S.

RSA CYBERCRIME STATISTICS FEBRUARY 2014Source: RSA Anti-Fraud Command Center

www.emc.com/rsa

CONTACT USTo learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.emc.com/rsa

Top Countries by Attacked Brands

In January, 25% of phishing attacks were

targeted at brands in the U.S., followed by

the UK, India, Canada and Australia.

Top Hosting Countries

The U.S. continues to host the most

phishing attacks, hosting 34% of global

phishing attacks in January, followed by

Germany, Canada, and Colombia.

©2014 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC

Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective

holders. FEB RPT 0214

12%

U.S.

UK

25%

7% 6%7%

34%

GLOBAL PHISHING LOSSESJANUARY 2014