Leak of iBanking Bot Source Code Opens Up New Opportunities for Cybercriminals

iBanking source code leaked

RSA reveals that the company’s researchers have stumbled upon the source code for the iBanking mobile bot on a cybercrime forum. iBanking is a relatively new threat, but the fact that its source code has been leaked can be highly beneficial for botmasters.

iBanking emerged late last year, being sold at around $5,000 (€3,650). The mobile threat is capable of more than just intercepting SMS messages. It can also redirect calls, record audio using the infected device’s microphone, and even steal data.

The bot is being distributed via HTML injections on banking websites or as a so-called security application for Android devices.

The source code found by researchers is for the server-side software, including the control panel, which provides an overview of the botnet and enables the controller to send various commands to infected smartphones.

“What’s interesting about the control panel is that it is capable of hosting several ‘sandboxed’ campaigns (called on the panel ‘projects’). This could support an iBanking-as-a-Service model in which the panel owner could offer it as a service to several fraudsters, each only having access to their attack campaign,” RSA’s Daniel Cohen wrote in a blog post.

In addition to the source code, a builder that can be used to unpack the existing APK file and repack it with different configurations has also been leaked. This enables cybercriminals to create their own malicious applications.

“With the apparent code leak, Trojan botmasters are now in a better position to incorporate this advanced mobile counterpart in their PC-based attacks, affording them control over their victims’ smartphones,” Cohen explained.

“What’s more, the panel’s ‘sandboxing’ feature, supporting multiple unrelated attack campaigns (or mobile botnets), may encourage mobile-botnet-as-a-service offerings in the underground marketplace.”


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s