Watch out for iBanking Android Rogue on Facebook

arogMalware has gone mobile, and now it’s getting social too.

A new one-two punch combination uses a malicious Javascript web injection on Facebook to try to fool users into downloading the iBanking rogue app onto their Android device.

How to Avoid Infection

First thing’s first: If you log onto Facebook on your computer and are mysteriously prompted to download a “unique software tool for safe and secure authentication” onto your Android device, do not proceed.

If this occurs, your computer has already been infected and downloading the software will infect your Android device as well. In the event that you are seeing such a prompt, we’d encourage you to seek help at our Help My PC is Infected! support forum. Malware removal is free, even if you are not an Emsisoft customer yet.

iBanking Play-by-Play

The prompt to download a “unique software tool” uses social engineering to try to trick Facebook users into downloading a supposed security app that enables two-factor authentication for their Facebook account. In reality, this “security app” is iBanking, an Android malware that can:

  • Intercept real two factor authentication codes sent by real service providers
  • Capture any incoming/outgoing SMS text
  • Redirect outgoing calls to a pre-programmed phone number
  • Capture audio by activating microphone
  • Steal metadata – call log and contacts list

In the past, iBanking has typically targeted financial websites, using the same malicious Javascript inject technique to attempt to fool users into download. Typically, the form asks for a user’s phone number and device type, and then sends a download link directly to the device in an SMS message. From there, the malicious downloader contains detailed installation instructions, even showing users how to Enable App Installation from Unknown Sources in the Android settings.

iBanking first achieved notoriety back in February, when its source code was leaked on an underground forum, making it widely available to malware authors around the world. Though the malware’s fundamental strategy – infect through web injection and then monitor mobile device activity – is nothing original, its recent appearance on Facebook is a new development and cause for some concern. Simply put: it is much easier and much more cost effective to target a social media website used by billions than it is to target a handful of banking sites that any given user may or may not use. Additionally, the malicious web injection could very easily be confused with a real request to enable two-factor authentication, especially by users who might have been made a tad paranoid about their personal security by the recent Heartbleed crisis.

Protecting Yourself from iBanking

Emsisoft Mobile Security detects the iBanking malware as Android.Trojan.SMSSend.HM (B).
SHA-1: fc13dc7a4562b9e52a8dff14f712f2d07e47def4

Additionally, our Behavior Blocking technology is designed to stop malicious Javascript injects like the one that propagates iBanking before they infect your computer.

How’s that for a one-two punch?

Have a Great (Mobile-Malware) Free Day!

  • Legend

    yeap, Facebook and other major social platforms has become and will become an increasingly platform for data stealing malware/spyware . You have to have a 360 degree protection on all multimedia platforms your own, imho. To protect you and your friends email addresses, and your personal sensetive informations and funny moments, captured on your phone. :-))

  • RaeC

    Does Emsisoft have a program for Androids and iPhones?

  • Pingback: Will passwords become a thing of the past? | Emsisoft Blog