iBanking is a malicious Android application that when installed on a mobile  phone is able to spy on its user’s communications. This bot has many interesting phone-specific capabilities, including capturing incoming and outgoing SMS messages, redirecting incoming voice calls, and even capturing audio using the device’s microphone. As reported by independent researcher Kafeine, this mobile application was for sale in underground forums and was used by several banking Trojans in an attempt to bypass a mobile two-factor authentication method put forth by some financial institutions. This method, usually called "mobile transaction authorization number" (mTAN) or mToken in the financial realm, is used by several banks throughout the world to authorize banking operations, but is now also increasingly used by popular internet services such as Gmail, Facebook and Twitter.

Recently, it was revealed by RSA that iBanking's source code was leaked on underground forums. In fact, the web admin panel source was leaked as well as a builder script able to change the required fields to adapt the mobile malware to another target. At this point, we knew it was only a matter of time before we started seeing some “creative” uses of the iBanking application.


Through our monitoring of the banking Trojan Win32/Qadars, first discussed on our blog here, we have witnessed a type of webinject that was totally new for us: it uses JavaScript, meant to be injected into Facebook web pages, which tries to lure the user into installing an Android application.

When we initially saw that webinject, we immediately knew that something interesting was at play:


Webinject as downloaded by Win32/Qadars bot

Once the user logs into his Facebook account, the malware tries to inject the following content into the webpage:


Fake Facebook Verification Page Leading to Malicious Android Application

Once the user enters his phone number, he is then shown the following page if he indicates that his mobile is running Android.


SMS Verification Step

If the SMS somehow fails to reach the user’s phone, he can also browse directly to the URL on the image with his phone or scan the QR code. There is also an installation guide available that explains how to install the application.


iBanking Installation Guide

The way iBanking is installed on the user’s mobile is quite common, but it is the first time we have seen such a mobile application targeting Facebook users for account fraud. Although the Facebook two-factor authentication feature has been around for quite a while, it may be that there is a growing number of people using it, thus making account takeover through a regular account credentials grabber ineffective. It might also just be a good way to make the user install iBanking on his phone so that the bot masters can make use of the other spying functionalities of iBanking.


iBanking, detected by ESET as Android/Spy.Agent.AF, is an application that showcases complex features when compared with other earlier mobile banking malware, such as Perkele. It can be used in conjunction with any malware able to inject code into a webpage and is generally used to redirect incoming SMS messages to bypass two-factor authentication. As iBanking technical analysis has already been done in the past, we did not study thoroughly this sample. We will keep this analysis, if relevant, for a future blog post.

As stated in our previous blog, Perkele's mobile component has already been used as part of one of Win32/Qadars’s campaigns in an effort to bypass two-factor authentication mechanisms put forth by banks. Now we see that it is also using iBanking. This does not come as a surprise, as we believe that all webinjects deployed by the Win32/Qadars operators are bought in underground forums; thus they are not tied to any particular platforms. On the other hand, since this webinject is available through a well-known webinject coder, this Facebook iBanking app might be distributed by other banking Trojans in the future. In fact, it is quite possible that we will begin to see mobile components targeting other popular services on the web that also enforce two-factor authentication through the user’s mobile.

ZitMo, SpitMo, Citmo, Perkele and iBanking are all mobile components that have been used in the past by banking Trojans. The latter two were not bound to specific desktop malware and were for sale on various underground forums. This commoditization of mobile banking malware has given several smaller banking Trojans the means to try to bypass some two-factor authentication measures put in place by banks. Now that mainstream web services such as Facebook are also targeted by mobile malware, it will be interesting to see whether other types of malware will start using webinjects. Will we see content injection functionalities and mobile malware used in non-financial types of malware so that they can take over accounts from popular web services? Time will tell, but because of the commoditization of mobile malware and the associated code source leaks, this is a distinct possibility.

SHA1 Hashes
Win32/Qadars: acd994ac60c5b8156001a7e54f91413501394ca3
Android/Spy.Agent.AF: fc13dc7a4562b9e52a8dff14f712f2d07e47def4