Symantec has reported that powerful russian cybercrime gangs have begun to use premium Android malware to broaden their attacks on financial institutions. The tool, known as iBanking, is one of the most expensive piece of malware Symantec has ever seen on the underground market, and its creator has a polished, Software-as-a-Service business model.
Operating under the handle GFF, its owner sells subscriptions to the software, complete with updates and technical support for up to US$5,000. For attackers unable to raise the subscription fee, GFF is also prepared to strike a deal, offering leases in exchange for a share of the profits.
Often masquerading as legitimate social networking, banking, or security applications, iBanking is mainly being used to defeat out-of-band security measures employed by banks. It intercepts one-time passwords sent through SMS. It can also be used to construct mobile botnets and conduct covert surveillance on victims. iBanking has a number of advanced features, such as allowing attackers to toggle between HTTP and SMS control, depending on the availability of an Internet connection.
Its high price tag meant that use was initially confined mainly to well-resourced cybercrime gangs but, with the recent leak of its source code, Symantec has seen a significant increase in activity around iBanking and attacks are likely to grow further in the near future.
Since iBanking victims are usually tricked into installing the app by a desktop financial Trojan, keeping your desktop antivirus software up to date will help avoid infection. Symantec warns users to be wary of any SMS messages which contain links to download APKs (Android application package files), especially from non-reputable sources. IT administrators should consider blocking all messages which contain a link to install an APK.
Some iBanking APKs have been seeded onto trusted marketplaces and users should be aware of this as a potential avenue of infection. Symantec advises users to be aware of sharing sensitive data through SMS, or at least be aware that malicious programs are sniffing this data.
For more information, you can read Symantec's full report on the Android.iBanking threat.