Upload
jiboutin
View
228
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Slides from my CARO2014 presentation
Citation preview
The Commoditization of Mobile Banking
Malware
Jean-Ian Boutin
ESET
Outline
• Historical Background
• Forums
• Technical Part
• Android
• Conclusion
2
Historical Background
The Beginnings
• ZitMo appearance in 2010
• Commands received through
SMS
• One purpose: intercept mTAN
4
New and Exciting
• Woah, a new C&C
number!
5
Old and Boring
• Mobile banking malware is
now common
• Android market share
increase brought some
advantages to the cyber
criminals
6
Forums
Installation Through Social Engineering
8
Installation Through Social Engineering
9
Perkele
• Appeared in 2013• Sold in semi-private
forums• Single use application:
1000$• Universal kit: 15000$
10
iBanking
11
iBanking
12
iBanking Source Code “Leak”
• In February 2014, someone posted that iBanking source code was
leaked
• In fact, the control panel code was leaked, but not the Android
source code.
• A builder is available that can change C&C address/phone number
and application skin
13
Other offerings
14
Other offerings
15
Other offerings
16
Mobile Banking Malware Bundled With Webinject Kit
• A perkele variant included in well known webinject framework sold
by yummba
17
Technical Aspects
Perkele SMS Divert – How to?
19
Perkele SMS Divert – How to?
20
iBanking Permissions
• Having more capabilities requires a lot more permissions
• Persistence without user interaction is done through RECEIVE_BOOT_COMPLETED
21
iBanking Commands
# sms start
# sms stop
# call start
# call stop
# change num
# sms list
# call list
# start record
# stop record
# sendSMS
# contact list
# wipe data
# ping
/android/sms/ping.php
/android/sms/index.phpInitialization/Heartbeat calls
/android/sms/sync.php
/android/sms/saveSMS.php
/android/getList.php
/android/sendFile.php
Command receive
Data Upload
22
23
iBanking SMS Divert – How to?
• Commands can be sent over HTTP or SMS
• SMS commands are accepted only if they are coming from known
telephone numbers
24
iBanking Analysis Thwarting Tricks
• Checks for default Android emulator values
• IMEI• IMSI• Operator• Telephone #
• JAVA obfuscation
25
Android Remediation
Android Platform Remediation
• Starting with KitKat, no longer possible to bypass Default Messaging app using the aforementioned technique
27
Source: wikipedia.com
28
Conclusion
• Commoditization led to
• Wider distribution
• Specialization
29
Special thanks to
Anton Cherepanov
Questions ?
@jiboutin
Thank You!