By Jennifer LeClaire / CIO Today. Updated April 17, 2014.
The Heartbleed bug is still a very real issue for IT admins, but it’s far from the only issue. The latest woe comes in the form of a malicious Android application called iBanking. When you install it on your mobile phone it can spy on your communications.
Security researchers at ESET, an antivirus vendor, identified the malware. Calling it a bot, the firm said it has phone-specific capabilities that range from capturing incoming and outgoing text messages to redirecting incoming voice calls to grabbing audio using the device’s microphone.
“As reported by independent researcher Kafeine, this mobile application was for sale in underground forums and was used by several banking Trojans in an attempt to bypass a mobile two-factor authentication method put forth by some financial institutions,” Jean-Ian Boutin, a malware researcher at ESET, wrote on the company’s blog.
From Banking to Facebook
Boutin explained that several banks around the world use this method, which is called “mobile transaction authorization number” or mToken in the financial realm, to authorize banking operations. However, it seems popular Internet giants like Facebook, Twitter and Google have also picked up the method.
“The way iBanking is installed on the user’s mobile is quite common, but it is the first time we have seen such a mobile application targeting Facebook users for account fraud,” Boutin said. “Although the Facebook two-factor authentication feature has been around for quite a while, it may be that there is a growing number of people using it, thus making account takeover through a regular account credentials grabber ineffective.”
Boutin said now that mainstream Web services such as Facebook are also targeted by mobile malware, it will be interesting to see whether other types of malware will start using webinjects, free tools for automated testing of Web services and Web apps.
“Will we see content injection functionalities and mobile malware used in non-financial types of malware so that they can take over accounts from popular Web services?” he asked. “Time will tell, but because of the commoditization of mobile malware and the associated code source leaks, this is a distinct possibility.”
PC Still Security Weak Link
We turned to Jeff Davis, vice president of engineering at Web information security solutions vendor Quarri Technologies, to get his take on the iBanking bot. He told us since Google has stepped up its game in filtering malicious apps from the Google Play store, Android malware authors have had to resort to novel and convoluted methods for getting their malware installed on users’ devices.
“The iBanking/webinject scheme uses what is becoming a standard technique: first it infects the user’s PC, then it uses this position to inject code into the user’s PC Web browser on a trusted site, telling the user that the trusted site wants them to ‘sideload’ an Android app, ostensibly for security reasons,” Davis said. “The attack even includes instructions on how to change their Android settings to allow sideloading, which should be a big red flag but apparently isn’t.”
Davis said this leads to a couple of conclusions. First, he said, the PC is still the weak link in Internet security, both for individuals and for enterprises. Now more than ever, he said, users and organizations really need to run modern anti-malware solutions on computers used to access the Internet.
“Second, sideloading is a major vector for malware getting installed on Android devices. Although Android provides a warning about sideloading making your device more vulnerable when you enable it, it seems that warning isn’t strong enough,” Davis concluded. “Maybe they need bold, blinking red text saying, ‘Legitimate apps are rarely installed this way! You’re probably installing malware on your device!’”