Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Android Malware Repurposed to Thwart Two-factor Authentication

Photo credit: Alexander Supertramp/Shutterstock.com
Photo credit: Alexander Supertramp/Shutterstock.com

Dubbed iBanking, the bot offers a slew of phone-specific capabilities, including capturing incoming and outgoing SMS messages, redirecting incoming voice calls and capturing audio using the device’s microphone. But as reported by independent researcher Kafeine, it’s now also being used to thwart the mobile transaction authorization number (mTAN), or mToken, authentication scheme used by several banks throughout the world, along with Gmail, Facebook and Twitter.

Recently, RSA noted that iBanking’s source code was leaked on underground forums.

“In fact, the web admin panel source was leaked as well as a builder script able to change the required fields to adapt the mobile malware to another target,” said Jean-Ian Boutin, a researcher at ESET, in an analysis. “At this point, we knew it was only a matter of time before we started seeing some ‘creative’ uses of the iBanking application.”

To wit, it’s being used for a type of webinject that was “totally new” for ESET: it uses JavaScript, meant to be injected into Facebook web pages, which tries to lure the user into installing an Android application.

Once the user logs into his or her Facebook account, the malware tries to inject a fake Facebook verification page into the website, asking for the user’s mobile number. Once entered, the victim is then shown a page for SMS verification if it’s an Android phone being used.

The hackers are very helpful: “If the SMS somehow fails to reach the user’s phone, he can also browse directly to the URL on the image with his phone or scan the QR code,” explained Boutin. “There is also an installation guide available that explains how to install the application.”

Since the webinject is available through a well-known webinject coder, this Facebook iBanking app might be distributed by other banking trojans in the future, ESET warned. “In fact, it is quite possible that we will begin to see mobile components targeting other popular services on the web that also enforce two-factor authentication through the user’s mobile,” Boutin said.

Also, because Google has stepped up its game in filtering malicious apps from the Google Play store, some speculate that Android malware authors have had to resort to novel and convoluted methods for getting their malware installed on users’ devices.

“The iBanking/Webinject scheme uses what is becoming a standard technique: first it infects the user’s PC, then it uses this position to inject code into the user’s PC web browser on a trusted site, telling the user that the trusted site wants them to ‘sideload’ an Android app, ostensibly for security reasons,” said Jeff Davis, vice president of engineering at Quarri Technologies, in an emailed comment. “The attack even includes instructions on how to change their Android settings to allow sideloading, which should be a big red flag but apparently isn’t.”

Clearly, the PC is still the weak link in internet security, both for individuals and for enterprises, he added.

In any event, users should avoid installing apps on a mobile device using the PC. “Sideloading is a major vector for malware getting installed on Android devices,” he said. “Although Android provides a warning about sideloading making your device more vulnerable when you enable it, it seems that warning isn’t strong enough. Maybe they need bold, blinking red text saying, ‘Legitimate apps are rarely installed this way! You’re probably installing malware on your device!’”

What’s Hot on Infosecurity Magazine?