Stephen Doherty, Symantec - iBanking is a relative newcomer to the mobile malware scene whose use was first identified in August of 2013. The Trojan targets Android devices and can be remotely controlled over SMS and HTTP. iBanking began life as a simple SMS stealer and call redirector, but has undergone significant development since then. iBanking is available for purchase on a private underground forum for between $4k - $5k, with the next release expected to include a 0-day exploit for the Android operating system. This presentation will discuss iBanking - it's capabilities and the reasons for targeting mobile devices.
1. iBanking – a Botnet on Android 1
iBanking – a Botnet on Android
Stephen Doherty
Senior Threat Intelligence Analyst
2. iBanking - Agenda
iBanking – a Botnet on Android 2
iBanking – what is it?1
The Evolution of iBanking2
There’s no Honour among Thieves3
3. iBanking – a Botnet on Android 3
iBanking
What is it?
4. What does the end user see?
iBanking – a Botnet on Android 4
Polish Fake AV Scanner The Many Faces of iBanking
5. The Capabilities of iBanking?
Features of iBanking
Steal Device Information
Intercept SMS
Intercept Phone Calls
Forward/Redirect Calls
Steal Address Book
Record Audio on Microphone
Send SMS
Get geo-location
List files on file system
List running applications
Prevent uninstallation
Factory Reset
iBanking – a Botnet on Android 5
Controllable over SMS/HTTP
6. iBanking Control Panel
• Control Multiple iBanking botnet from a single UI
iBanking – a Botnet on Android 6
12. But that’s not all!
• My PC is secure
• I wouldn’t fall for this type of social engineering scam
iBanking – A Botnet on Android 12
Chance Lodging
software in Google Play
- GFF
13. iBanking – a Botnet on Android 13
The Evolution of iBanking
How has it evolved?
14. iBanking – pre sale version in the wild (August 2013)
• Earliest iBanking varient discovered
• Simple call redirector/SMS sniffer
• Control Server Registrant Email
– ctouma2@googlemail.com
iBanking – a Botnet on Android 14
16. iBanking source code leaked (February 2nd, 2014)
iBanking – A Botnet on Android 16
17. iBanking source code leaked (February 2nd, 2014)
iBanking – a Botnet on Android 17
18. Android 0-day exploit in work (March 6th, 2014)
iBanking – a Botnet on Android 18
“Work! In the near future is expected to announce in my
workshop! 0-day vulnerability in android! :-)”
19. iBanking – a Botnet on Android 19
There is no honour among thieves
A hackers quest to recover 65k stolen bitcoins
23. Hey I lost 65k BTC, can you help me?
• Phones are secure right?
– Store your Bitcoin wallet/credentials on the phone
• ReVOLVeR gets busy reversing!
– Command & Control
• myredskins.net
iBanking – a Botnet on Android 23
24. iBanking Control Panel – Admin login
• Authentication required!
iBanking – A Botnet on Android 24
http://[IBANKING_DOMAIN]/iBanking/sendFile.php