08 September 2014

Source Code Leaked but the Game isn't Over, says Daniel Cohen, Head of Knowledge Delivery and Business Development for RSA's FraudAction Group

Dubai, UAE- 8 September 2014 - In the cyber-underground, one can never be too careful.  Between researchers and law enforcement, cybercriminals are always wary of being shut-down or worse, caught and prosecuted.  The developers of the iBanking Trojan are no exception.

iBanking mobile bot is a relative new-comer to the mobile malware scene, and has been available for sale in the underground for $5,000 since late last year. We first saw it spread through HTML injection attacks on banking sites, social engineering victims into downloading a so called "security app" for their Android devices.

The malware is an example of the ongoing developments in the mobile malware space and points to the development of the next generation of malicious apps being developed and commercialized in the underground, boasting web-based control panels and packing more data-stealing features.

In order to deceive its victims the iBanking app disguises itself in different ways often masquerading as a popular and trusted application or webpage. Furthermore, during the installation process the app attempts to social engineer the user into providing it with administrative rights, making its removal much more difficult.

The bot can be controlled either over HTTP or via SMS and provides its controller with the following capabilities:

·         Capture all incoming/outgoing SMS messages

·         Redirect all incoming voice calls to a different pre-defined number

·         In/out/missed call-list capturing

·         Audio capturing via device's microphone

·         Phone book capturing

·         URL status: the mobile device will visit a provided URL, returning its status (possibly for click-fraud schemes.)

Suffice to say, this is all an attacker needs to gain access to your e-banking account and transfer just the amount he/she needs and in the case of an enterprise publicly leak information of sensitive nature and wreak havoc.

iBanking is also perhaps one of the best examples of how malware developers are racing  to implement counter-measures to keep their operations protected and. Even though the panel's source-code was leaked a couple months ago, the bot itself is still under regular development and now has several new features including enumeration of all installed apps on the infected device, harvesting of images from the device and collection of precise geo-location data.

RSA experts reported to have identified nearly 30 "graphic" templates for iBanking, but the most intriguing is the use of stronger encryption methods to hide its resources and use of a self-protection mechanism including packers and obfuscators to protect its code from reverse-engineering attempts and anti-virus detection. It has also implemented "anti-SDK" protection features to evade sandbox environments.

As with everything else mobile, these developments have happened faster than expected.

The iBanking malware shows that mobile malware developers are fast becoming aware of the necessity to protect their bots against analysis, and indicates a possible new trend in this new and evolving mobile malware space.

About RSA

RSA, The Security Division of EMC, is the premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world's leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments.

Combining business-critical controls in identity assurance, encryption & key management, SIEM, Data Loss Prevention and Fraud Protection with industry leading eGRC capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit www.EMC.com/RSA.

# # #

RSA and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries.  All other products and/or services referenced are trademarks of their respective companies.  

© Press Release 2014