ibanking - a botnet on android
DESCRIPTION
Stephen Doherty, Symantec - iBanking is a relative newcomer to the mobile malware scene whose use was first identified in August of 2013. The Trojan targets Android devices and can be remotely controlled over SMS and HTTP. iBanking began life as a simple SMS stealer and call redirector, but has undergone significant development since then. iBanking is available for purchase on a private underground forum for between $4k - $5k, with the next release expected to include a 0-day exploit for the Android operating system. This presentation will discuss iBanking - it's capabilities and the reasons for targeting mobile devices.TRANSCRIPT
iBanking – a Botnet on Android 1
iBanking – a Botnet on Android
Stephen Doherty Senior Threat Intelligence Analyst
iBanking - Agenda
iBanking – a Botnet on Android 2
iBanking – what is it? 1
The Evolution of iBanking 2
There’s no Honour among Thieves 3
iBanking – a Botnet on Android 3
iBanking
What is it?
What does the end user see?
iBanking – a Botnet on Android 4
Polish Fake AV Scanner The Many Faces of iBanking
The Capabilities of iBanking?
Features of iBanking
Steal Device Information
Intercept SMS
Intercept Phone Calls
Forward/Redirect Calls
Steal Address Book
Record Audio on Microphone
Send SMS
Get geo-location
List files on file system
List running applications
Prevent uninstallation
Factory Reset
iBanking – a Botnet on Android 5
Controllable over SMS/HTTP
iBanking Control Panel
• Control Multiple iBanking botnet from a single UI
iBanking – a Botnet on Android 6
iBanking Control Panel
• Simple dropdown to Issue commands
iBanking – a Botnet on Android 7
iBanking Control Panel
Majority of control numbers in Russia
iBanking – a Botnet on Android 8
How do I get infected with iBanking?
iBanking – a Botnet on Android 9
Getting infected with iBanking
iBanking – a Botnet on Android 10
Getting infected with iBanking
iBanking – a Botnet on Android 11
But that’s not all!
• My PC is secure
• I wouldn’t fall for this type of social engineering scam
iBanking – A Botnet on Android 12
Chance Lodging software in Google Play - GFF
iBanking – a Botnet on Android 13
The Evolution of iBanking
How has it evolved?
iBanking – pre sale version in the wild (August 2013)
• Earliest iBanking varient discovered
• Simple call redirector/SMS sniffer
• Control Server Registrant Email
iBanking – a Botnet on Android 14
Russian private forum (September 17th, 2013)
iBanking – a Botnet on Android 15
iBanking source code leaked (February 2nd, 2014)
iBanking – A Botnet on Android 16
iBanking source code leaked (February 2nd, 2014)
iBanking – a Botnet on Android 17
Android 0-day exploit in work (March 6th, 2014)
iBanking – a Botnet on Android 18
“Work! In the near future is expected to announce in my workshop! 0-day vulnerability in android! :-)”
iBanking – a Botnet on Android 19
There is no honour among thieves
A hackers quest to recover 65k stolen bitcoins
ReVOLVeR
https://twitter.com/rev_priv8
iBanking – a Botnet on Android 20
The Priv8 Team
iBanking – a Botnet on Android 21
Wanna sign up?
iBanking – a Botnet on Android 22
Hey I lost 65k BTC, can you help me?
• Phones are secure right?
– Store your Bitcoin wallet/credentials on the phone
• ReVOLVeR gets busy reversing!
– Command & Control
• myredskins.net
iBanking – a Botnet on Android 23
iBanking Control Panel – Admin login
• Authentication required!
iBanking – A Botnet on Android 24
http://[IBANKING_DOMAIN]/iBanking/sendFile.php
There be treasure?
iBanking – A Botnet on Android 25
ReVOLVer – Hacking the BBC
iBanking – A Botnet on Android 26
BBC confirms Hacking incident
iBanking – a Botnet on Android 27
ReVOLVer – Reselling iBanking
iBanking – a Botnet on Android 28
January 6th, 2014
Thank you!
Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
iBanking – a Botnet on Android 29
Stephen Doherty,
Senior Threat Intelligence Analyst,
Attack Investigations Team,