Saturday, March 1, 2014

Android/iBanking Malware & How was Hacked

Android/iBanking is malware that runs on Android smartphones. In addition to intercepting SMS (text) messages, recording audio, and stealing contact lists, it is used by cyber criminals to complete fraudulent transactions. For example, when a verification code PIN is sent to an infected phone via SMS, they can now intercept these text messages to defeat multi-factor authentication.

It was available on the criminal underground for $4-5k USD. The source code has since been 'leaked'. In reality there was not a leak, someone made a builder to repackage the original malware with different configurations.

Features of Android/iBanking from an advertisement for it:
Функционал:-Грабинг всей информации о жертве (Phone Number,ICCID,IMEI,IMSI,Model,OS)
- Перехват всех входящих SMS и отправка их в web-panel и на управляющий номер.
- Переадресация звонков на любой номер
- Грабинг всех входящих и исходящих SMS
- Грабинг всех входящих и исходящих ВЫЗОВОВ
- Запись аудиофайла, отправка его на сервер( знаем, что происходит вокруг)
- Отправка SMS на любой номер без ведома владельца
Удобная Web Panel:Итак, данный софт продается, цена бота 4к, в комплекте вы получаете админскую панель настроенную на вашем сервере+управляющий веб номер+файл Апк с уникальным интерфейсом разработанным под Ваши нужды, а так же постоянную поддержку продукта. 
Private - grabing information about victims (Phone Number, ICCID , IMEI , IMSI , Model, OS)
- Interception all incoming SMS and shipped them to the web panel and Managing room
- Pereadresaciâ calls to Any Room
- Grabing all incoming SMS and ishodâŝih
- Grabing all incoming and ishodâŝih VYZOVOV
- Recording Audio Files , shipped to his server ( Znaem , What's happening around )
- Shipped SMS to Any Room without Veda owner
Comfortable Web Panel:
Ithaca Danny soft sale , price bota 4K , complete you get adminskuû panel nastroennuû on your web server + Managing + number Apk file with a unique interface razrabotannym under your nuždy and Tak will postoânnuû support products.

Xylitol posted samples for this malware already.

I had a look inside the C&C server.
inetnum: -
descr: Digital Ocean, Inc.
country: NL


Once logged in, you are presented your 'Projects' page.
Each campaign is associated a Project ID.
This organizes groups of phones and allows delegating projects to different users.

Click on the Project ID that has a 'phone count' and the phone list tab appears, allowing you to get details on the phones in that project. 

Now you can see the phone numbers, model, IMEI, OS, last command sent to the phone.

The malware is running in the google_sdk also the TrendMicro Sandbox. This looks like an AV scanner record, not actual infection. Could be admin doing some testing too.

You can see the command options to send out to bot phones:
start sms, stop sms, start call, stop call, start rec, stop rec, start call to #, get sms, get call, contact list, send sms, check url

I see the "Control" number on this bot phone: +883320340295 - this leads me to an interesting find, see 'BBC hack' below.

I found another control number: +37061513564 on infected phones in the panel. 
This guy has the same cell phone number. He is selling cd-keys. 
He prefers texting after 3:30.  Hmmm..ok.
E-mail: or
Skype: zerafik (only rašykit that game).
mob. Phone: +37061513564 (sms better rašykit or skambinkit after 15.30).

Starting a new project looks like this:

Oh yes, I also hacked your mySQL phpMyAdmin:

Even though the same 'control' phone number record was in this panel I did not find the SMS text message record with the BBC credentials in the database. This BBC cell number could be part of the 'leaked' iBanking source, but I don't have any other panels to compare this one to. 


I Googled one of the 'control' cell phone numbers I found "+883320340295" to learn more about this number and found some interesting stuff. 

Some Russian hacker, ReVOLVeR, was helping his friend recover a password from a backup of his lost smartphone.
While he is looking on the phone he discovers this same iBanking malware installed on the phone. He hacks the C&C ( and finds an Android smartphone that has been infected.
This other infected smartphone had credentials for stored on the phone. I would assume this phone belongs to a BBC employee in the IT dept. ReVOLVeR then takes the credentials from the BBC phone, logs in and proceeds to root the box.

The whole truth about breaking story began with a request, one of my friends lost razobratsya where no small number of Bitcoins to his account on Exchange btc, as it turned out, he kept his username and password in the cell phone running OS android, received backup phone, I began to study the animal. The research work itself apkashka bot 1. Need konvertnut apk in jar 2. Come and download the resulting jar in decompiler In the decompiled seen that the bot can receive commands from the management server, which is located somewhere in the agricultural and resources through sms messages. List commands via sms
In the administration panel, I found the username and pass to the FTP server, probably one of the employees and uses vedroid received the password via SMS.   Avtorizavavshis I saw that I sufficient rights to see the indigenous Assortment. fundamentally / dumr I found neatly stored data from / etc and in particular the Group; shadows; passwd; 
des is not the most cryptographically strong, and according to this in the next few hours, I began to root rights on the server, as well as private keys of users, which gave an opportunity to connect to the rest of the company servers. As a bonus, I did a screen shot made ​​and merged full backing up system, I want to share with you a part of it:

Later press reports zapestrila the burglary and attempted resale: Friend none of that does not sell, we, the team site, conducted exclusively research which showed three things: 1. No one is immune from human stupidity. 2. Viruses, namely for mobile gadgets is gaining serious obaroty. 3. On BBC were not covered hole for operation from the outside, but my posts on Twitter and e-mail silence reigns. Bit Coin and could not get back to the boat was untied, I spread it on Avery joy in the administrator panel.


I'm not sure I believe he just found the bbc credentials on that infected phone. Maybe he did, who cares.

We can however thank ReVOLVeR for showing us once again that even for something that costs $4-5k USD on the elite Internet underground, this kit is just another huge pile of garbage.

Mobile malware is just in its infancy. This kind of malware will soon be the norm. Not many people run anti-virus on their phones and are left exposed. Facebook is investing huge amounts of capital to be in the emerging markets where the mobile users are. Cyber criminals see this opportunity as well. 

No comments:

Post a Comment