iBanking – a Botnet on Android 1

iBanking – a Botnet on Android

Stephen Doherty Senior Threat Intelligence Analyst

iBanking - Agenda

iBanking – a Botnet on Android 2

iBanking – what is it? 1

The Evolution of iBanking 2

There’s no Honour among Thieves 3

iBanking – a Botnet on Android 3

iBanking

What is it?

What does the end user see?

iBanking – a Botnet on Android 4

Polish Fake AV Scanner The Many Faces of iBanking

The Capabilities of iBanking?

Features of iBanking

Steal Device Information

Intercept SMS

Intercept Phone Calls

Forward/Redirect Calls

Steal Address Book

Record Audio on Microphone

Send SMS

Get geo-location

List files on file system

List running applications

Prevent uninstallation

Factory Reset

iBanking – a Botnet on Android 5

Controllable over SMS/HTTP

iBanking Control Panel

• Control Multiple iBanking botnet from a single UI

iBanking – a Botnet on Android 6

iBanking Control Panel

• Simple dropdown to Issue commands

iBanking – a Botnet on Android 7

iBanking Control Panel

Majority of control numbers in Russia

iBanking – a Botnet on Android 8

How do I get infected with iBanking?

iBanking – a Botnet on Android 9

Getting infected with iBanking

iBanking – a Botnet on Android 10

Getting infected with iBanking

iBanking – a Botnet on Android 11

But that’s not all!

• My PC is secure

• I wouldn’t fall for this type of social engineering scam

iBanking – A Botnet on Android 12

Chance Lodging software in Google Play - GFF

iBanking – a Botnet on Android 13

The Evolution of iBanking

How has it evolved?

iBanking – pre sale version in the wild (August 2013)

• Earliest iBanking varient discovered

• Simple call redirector/SMS sniffer

• Control Server Registrant Email

– ctouma2@googlemail.com

iBanking – a Botnet on Android 14

Russian private forum (September 17th, 2013)

iBanking – a Botnet on Android 15

iBanking source code leaked (February 2nd, 2014)

iBanking – A Botnet on Android 16

iBanking source code leaked (February 2nd, 2014)

iBanking – a Botnet on Android 17

Android 0-day exploit in work (March 6th, 2014)

iBanking – a Botnet on Android 18

“Work! In the near future is expected to announce in my workshop! 0-day vulnerability in android! :-)”

iBanking – a Botnet on Android 19

There is no honour among thieves

A hackers quest to recover 65k stolen bitcoins

ReVOLVeR

https://twitter.com/rev_priv8

iBanking – a Botnet on Android 20

The Priv8 Team

iBanking – a Botnet on Android 21

Wanna sign up?

iBanking – a Botnet on Android 22

Hey I lost 65k BTC, can you help me?

• Phones are secure right?

– Store your Bitcoin wallet/credentials on the phone

• ReVOLVeR gets busy reversing!

– Command & Control

• myredskins.net

iBanking – a Botnet on Android 23

iBanking Control Panel – Admin login

• Authentication required!

iBanking – A Botnet on Android 24

http://[IBANKING_DOMAIN]/iBanking/sendFile.php

There be treasure?

iBanking – A Botnet on Android 25

ReVOLVer – Hacking the BBC

iBanking – A Botnet on Android 26

BBC confirms Hacking incident

iBanking – a Botnet on Android 27

ReVOLVer – Reselling iBanking

iBanking – a Botnet on Android 28

January 6th, 2014

Thank you!

Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

iBanking – a Botnet on Android 29

Stephen Doherty,

Senior Threat Intelligence Analyst,

Attack Investigations Team,