Can it be stopped?

Back in May, Symantec wrote a frightening report on the current scourge of the mobile malware threat landscape that is now threatening mobile banking from Android phones. Those would be any made and marketed by Samsung, Google, Sony, LG, and every Motorola Moto model. Now the source code has been leaked and new attacks are likely to grow in the immediate future. Here is some background:

Early this year, Russian cybercrime gangs began to use targeted Android malware to broaden their attacks on financial institutions. The tool, known oddly as iBanking, is one of the most complicated and sophisticated pieces of malware we have seen on the underground market and its creator has a professional and well designed, Software-as-a-Service (SaaS) business model.

For $5,000 you can subscribe to the software which is supported by updates and tech support just like any good SaaS offering and the creators are also willing to structure OEM-style deals for a share of the profits. How’s that for bullish?

To fool its targets, the iBanking malware masquerades as security software in hopes that an end user might accidently install it thinking they are actually protecting their system. The malware is positioned mainly to supersede out-of-band security measures employed by many banks and their employees, by intercepting passwords sent through SMS which many enterprises have also adopted as part of their two-factor authentication. It has a number of advanced features, including the ability for attackers to toggle between HTTP and SMS controls, depending on the availability of an Internet connection.

The targets are first infected with a financial Trojan on their PCs, which will generate a pop up message when they visit a banking or social networking website, asking them to install a mobile app as an additional security measure, all of which seems benign enough.

The target is then prompted for their phone number and the device operating system and will then be sent a download link for the fake software via SMS.

The malware looks exactly like official software from a range of different banks and social networks. Once it is installed on the mobile, the attacker has almost complete access to the phone and can then steal a wide range of information, intercepting voice and text communications, and even recording audio through the phone’s microphone.

Since iBanking can be controlled through both SMS and HTTP, it has both online and offline options for command and control. By default, the malware checks for a valid Internet connection. If one is found, it can be controlled over the Web through HTTP. If no Internet connection is present, it switches to SMS.

iBanking’s main features include:

• Stealing phone information –phone number, ICCID, IMEI, IMSI, model, operating system
• Intercepting incoming/outgoing all SMS messages and calls and uploading them to the control server in real time, and forwarding/redirecting all calls to an attacker-controlled number
• Uploading all contact information to the control server
• Recording audio on the microphone and uploading it to the control server
• Sending SMS messages
• Immediate knowledge of the geolocation of the device
• Complete access to the entire file system and program indexes
• Blocking and preventing the removal of the malware and/or Trojans
• Wiping/restoring phone to the factory settings if administrator rights are re-enabled

The iBanking malware advancements are part of the normal cycle of the malware ecosystem. To avoid detection by security measures and remain a threat, malware must constantly change and evolve; adding new features helps criminals achieve this. And when one attacker group gets new functionality in its malware that improves its attack success rate, other groups will want that functionality incorporated into their malware.

Detecting malware on an Android device is similar to detecting malware on Windows or Macs. Users can do this by installing an antimalware application onto their smartphone to have it check for malware, checking sent text messages to see if any unknown ones might have been sent by malware, or by investigating when the device behaves erratically to identify the root cause.

Preventing users from falling victim to malware schemes such as iBanking first requires them to make fairly sophisticated and security-aware decisions around what type of software is installed on their mobile devices. Enterprise security awareness training should emphasize installing only trusted apps; however, it is often difficult to identify if an app is trusted. Users could download only apps from trusted app stores or, to determine if an app is legitimate, check other users’ reviews in an app store, look at the number of times the app has been downloaded, read reviews on the Internet, or take recommendations from friends and colleagues.

Companies can protect employee mobile devices by running their own enterprise app store and vetting the apps published in it. Additionally, end users should always report suspicious pop-ups asking the user to install security software or any new programs. A mobile device management tool should also be installed prior to production use to prevent malware from infecting the device. Alternately, command-and-control functionality over the Internet can be detected and blocked by monitoring the network.

Whatever controls you choose to impose on your employees or yourself, be sure to do so in a manner that is consistent with security best practices and has been proven to prevent similar attacks in the past.

There is no software substitute for security awareness training and 80% of attacks occur because of insider negligence. If you want additional information about iBanking or need assistance with setting up internal training or managed security programs, please let me know by dropping me a line to [email protected] and in the meantime, always remember to keep smiling.

As Churchill famously said, “A pessimist sees difficulty in every opportunity, while an optimist sees opportunity in every difficulty.” Might as well be an optimist, right?