13. iBanking Source Code “Leak”
• In February 2014, someone posted that iBanking source code was
leaked
• In fact, the control panel code was leaked, but not the Android
source code.
• A builder is available that can change C&C address/phone number
and application skin
13
21. iBanking Permissions
• Having more
capabilities requires a
lot more permissions
• Persistence without
user interaction is
done through
RECEIVE_BOOT_COM
PLETED
21
22. iBanking Commands
# sms start
# sms stop
# call start
# call stop
# change num
# sms list
# call list
# start record
# stop record
# sendSMS
# contact list
# wipe data
# ping
/android/sms/ping.php
/android/sms/index.php
Initialization/Heartbeat calls
/android/sms/sync.php
/android/sms/saveSMS.php
/android/getList.php
/android/sendFile.php
Command receive
Data Upload
22
24. iBanking SMS Divert – How to?
• Commands can be sent over HTTP or SMS
• SMS commands are accepted only if they are coming from known
telephone numbers
24