The iBanking mobile bot source code was leaked in February 2014, providing fraudsters with the ability to create tailored malicious applications aimed at stealing user data. This malware, which includes features such as SMS interception, call redirection, and audio recording, poses significant risks for mobile security, especially as it facilitates advanced phishing attacks. Moreover, the leaked web-based control panel empowers botmasters to manage infected devices effectively, potentially leading to a rise in mobile botnet-as-a-service offerings in the underground market.

1. iBANKING MOBILE BOT
SOURCE CODE LEAKED
February 2014
iBANKING MOBILE BOT SOURCE CODE LEAKED
RSA researchers have recently traced a forum post leaking the iBanking mobile bot
control panel source code. Apart from the server-side source code, the leaked files also
include a builder (a bash script) that can unpack the existing iBanking APK file and
re-pack it with different configurations, essentially providing fraudsters with the means to
create their own unique application.
The iBanking mobile bot is a relative newcomer to the mobile malware scene, and has
been available for sale in the underground for $5,000 since late last year. RSA first saw it
spread through HTML injection attacks on banking sites, social engineering victims into
downloading a malicious app disguised as a “security app” for their Android devices.
The malware goes beyond being yet another SMS-sniffer app, offering features such as
call redirecting, audio recording (using the device’s mic) and data stealing. The malware
is an example of the ongoing developments in the mobile malware space, and we are
now seeing the next generation of malicious apps being developed and commercialized
in the underground, boasting web-based control panels and packing more data-stealing
features.
FRAUD REPORT
R S A M O N T H LY F R A U D R E P O R T
page 1

2. Figure 1
Forum post leaking the source code
In order to deceive its victims, the iBanking app disguises itself in different ways. During
our analysis, we observed two main graphic templates: one made use of its target’s logos
and monikers (in our analysis a well-known financial institution), and in another, it
masqueraded as a security app. Furthermore, during the installation process, the app
attempts to social engineer the user into providing it with administrative rights, making
its removal much more difficult.
Figure 2
Installation process requesting
permissions to use the phone,
SMS and audio services;
Figure 3
Attempting to uninstall the app after it
has received administrative privileges.
R S A M O N T H LY F R A U D R E P O R T
page 2

3. The bot can be controlled either over HTTP or via SMS. Over HTTP, the app will beacon its
control server every pre-defined interval, then pull and execute the command if one is
awaiting it. The app provides its controller with the following capabilities:
–– Capture all incoming/outgoing SMS messages
–– Redirect all incoming voice calls to a different pre-defined number
–– In/out/missed call-list capturing
–– Audio capturing via device’s microphone
–– Phone book capturing
–– RL status: the mobile device will visit a provided URL, returning its status (possibly for
U
click-fraud schemes.)
When attempting to communicate to its control server via HTTP, the bot will send up-todate information about the device. If it fails to communicate over HTTP, it will alert its
controller by SMS to the pre-defined control number. The control number is the number
used by the fraudster to control his bots. Any SMS received at the bot originating from the
control number will be parsed, and the command executed.
Figure 4
HTTP-based communication delivering
stolen SMS messages from the device
to the control server.
The leaked files do not include the source code of the app itself, but the provided bash
script gives fraudsters the means to customize the app’s configuration including the
control server’s address, the control number, the app’s characteristics (such as name),
and the graphic template that should be used. Although this limits the app’s further
development by other fraudsters, it is still sufficient to enable fraudsters to launch their
own custom attacks.
R S A M O N T H LY F R A U D R E P O R T
page 3

4. REVEALING THE iBANKING WEB-BASED CONTROL PANEL
The web-based control panel, whose source code was completely leaked, is programmed
to aid botmasters with control over the infected mobile devices. The panel provides the
controller with an overview of the botnet, and affords a one-click interface to send
commands to infected devices over HTTP.
What’s interesting about the control panel is that it is capable of hosting several
“sandboxed” campaigns (called on the panel “projects”). This could support an
iBanking-as-a-Service model in which the panel owner could offer it as a service to
several fraudsters, each only having access to their own attack campaign.
The controller is able to access information regarding the currently selected device
including:
–– SMS list: SMS messages bearing one-time password (OTP) codes received.
–– All SMS list: all SMS messages sent and received.
–– All call list: all call logs (inbound, outbound and missed).
–– Sounds: lists all audio recording, using the device’s mic, that were stolen from the
device. The audio is stored on the server in 3gp format.
–– Contact list: the list of contacts captured from the selected device
–– RL report: provides a list of URLs and their status code as tested by, and returned
U
from the device
LOOKING AHEAD
With the apparent code leak, Trojan botmasters are now in a better position to
incorporate this advanced mobile counterpart in their PC-based attacks, affording them
control over their victims’ smartphones. What’s more, the panel’s “sandboxing” feature,
supporting multiple unrelated attack campaigns (or mobile botnets), may encourage
mobile-botnet-as-a-service offerings in the underground marketplace.
The malware’s ability to capture SMS messages and audio recordings, as well as divert
voice calls, makes step-up authentication all the more challenging as fraudsters gain
more control over the OOB device. This highlights the need for stronger authentication
solutions capable of validating users’ identities using multiple factors including biometric
solutions. The latter will also assist in reducing the dependency on conscious human
intervention making social engineering attempts void.
We will continue to monitor the developments in this space.
R S A M O N T H LY F R A U D R E P O R T
page 4

5. RSA CYBERCRIME STATISTICS
FEBRUARY 2014
Source: RSA Anti-Fraud Command Center
Phishing Attacks per Month
RSA identified 29,034 phishing attacks in
January, marking a 21% decrease from
December’s attack numbers. This is also
4% lower than the number of attacks a
year ago.
29,034
Attacks
US Bank Types Attacked
Nationwide banks were the prime target for
phishing attacks in January with 62% of
attack volume, while credit unions saw a
significant increase – from 5% to 16% of
total volume.
Credit Unions
Regional
National
Top Countries by Attack Volume
The U.S. remained the most targeted
country in January with an overwhelming
81% of total phishing volume, followed by
the UK, the Netherlands, Canada, and
South Africa.
81%
4%
UK
2%
Netherlands
2%
R S A M O N T H LY F R A U D R E P O R T
U.S.
South Africa
page 5

6. Top Countries by Attacked Brands
In January, 25% of phishing attacks were
targeted at brands in the U.S., followed by
the UK, India, Canada and Australia.
U.S.
25%
UK
12%
34%
Top Hosting Countries
The U.S. continues to host the most
phishing attacks, hosting 34% of global
phishing attacks in January, followed by
Germany, Canada, and Colombia.
7%
7%
6%
GLOBAL PHISHING LOSSES
JANUARY 2014
CONTACT US
To learn more about how RSA products, services, and solutions help solve your
business and IT challenges contact your local representative or authorized reseller –
or visit us at www.emc.com/rsa
www.emc.com/rsa
©2014 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC
Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective
holders. FEB RPT 0214