The Commoditization of Mobile Banking

Malware

Jean-Ian Boutin

ESET

Outline

• Historical Background

• Forums

• Technical Part

• Android

• Conclusion

2

Historical Background

The Beginnings

• ZitMo appearance in 2010

• Commands received through

SMS

• One purpose: intercept mTAN

4

New and Exciting

• Woah, a new C&C

number!

5

Old and Boring

• Mobile banking malware is

now common

• Android market share

increase brought some

advantages to the cyber

criminals

6

Forums

Installation Through Social Engineering

8

Installation Through Social Engineering

9

Perkele

• Appeared in 2013• Sold in semi-private

forums• Single use application:

1000$• Universal kit: 15000$

10

iBanking

11

iBanking

12

iBanking Source Code “Leak”

• In February 2014, someone posted that iBanking source code was

leaked

• In fact, the control panel code was leaked, but not the Android

source code.

• A builder is available that can change C&C address/phone number

and application skin

13

Other offerings

14

Other offerings

15

Other offerings

16

Mobile Banking Malware Bundled With Webinject Kit

• A perkele variant included in well known webinject framework sold

by yummba

17

Technical Aspects

Perkele SMS Divert – How to?

19

Perkele SMS Divert – How to?

20

iBanking Permissions

• Having more capabilities requires a lot more permissions

• Persistence without user interaction is done through RECEIVE_BOOT_COMPLETED

21

iBanking Commands

# sms start

# sms stop

# call start

# call stop

# change num

# sms list

# call list

# start record

# stop record

# sendSMS

# contact list

# wipe data

# ping

/android/sms/ping.php

/android/sms/index.phpInitialization/Heartbeat calls

/android/sms/sync.php

/android/sms/saveSMS.php

/android/getList.php

/android/sendFile.php

Command receive

Data Upload

22

23

iBanking SMS Divert – How to?

• Commands can be sent over HTTP or SMS

• SMS commands are accepted only if they are coming from known

telephone numbers

24

iBanking Analysis Thwarting Tricks

• Checks for default Android emulator values

• IMEI• IMSI• Operator• Telephone #

• JAVA obfuscation

25

Android Remediation

Android Platform Remediation

• Starting with KitKat, no longer possible to bypass Default Messaging app using the aforementioned technique

27

Source: wikipedia.com

28

Conclusion

• Commoditization led to

• Wider distribution

• Specialization

29

Special thanks to

Anton Cherepanov

Questions ?

@jiboutin

Thank You!