Watch out for iBanking Android Rogue on Facebook


arogMalware has gone mobile, and now it’s getting social too.

A new one-two punch combination uses a malicious Javascript web injection on Facebook to try to fool users into downloading the iBanking rogue app onto their Android device.

How to Avoid Infection

First thing’s first: If you log onto Facebook on your computer and are mysteriously prompted to download a “unique software tool for safe and secure authentication” onto your Android device, do not proceed.

If this occurs, your computer has already been infected and downloading the software will infect your Android device as well. In the event that you are seeing such a prompt, we’d encourage you to seek help at our Help My PC is Infected! support forum. Malware removal is free, even if you are not an Emsisoft customer yet.

iBanking Play-by-Play

The prompt to download a “unique software tool” uses social engineering to try to trick Facebook users into downloading a supposed security app that enables two-factor authentication for their Facebook account. In reality, this “security app” is iBanking, an Android malware that can:

In the past, iBanking has typically targeted financial websites, using the same malicious Javascript inject technique to attempt to fool users into download. Typically, the form asks for a user’s phone number and device type, and then sends a download link directly to the device in an SMS message. From there, the malicious downloader contains detailed installation instructions, even showing users how to Enable App Installation from Unknown Sources in the Android settings.

iBanking first achieved notoriety back in February, when its source code was leaked on an underground forum, making it widely available to malware authors around the world. Though the malware’s fundamental strategy – infect through web injection and then monitor mobile device activity – is nothing original, its recent appearance on Facebook is a new development and cause for some concern. Simply put: it is much easier and much more cost effective to target a social media website used by billions than it is to target a handful of banking sites that any given user may or may not use. Additionally, the malicious web injection could very easily be confused with a real request to enable two-factor authentication, especially by users who might have been made a tad paranoid about their personal security by the recent Heartbleed crisis.

Protecting Yourself from iBanking

Emsisoft Mobile Security detects the iBanking malware as Android.Trojan.SMSSend.HM (B).
SHA-1: fc13dc7a4562b9e52a8dff14f712f2d07e47def4

Additionally, our Behavior Blocking technology is designed to stop malicious Javascript injects like the one that propagates iBanking before they infect your computer.

How’s that for a one-two punch?

Emsisoft Endpoint Protection: Award-Winning Security Made Simple

Experience effortless next-gen technology. Start Free Trial

Have a Great (Mobile-Malware) Free Day!

Senan Conrad

Senan Conrad

Senan specializes in giving readers insight into the constantly and rapidly changing world of cybersecurity. When he’s not tapping away at his keyboard, he enjoys drinking a good coffee or tinkering in his workshop.

What to read next