iBanking: The $5,000 Android Malware-as-a-Service Threat

By James Green ~ June 2nd, 2014 4:20 PM MST


Malware-as-a-service (MaaS) has been a popular cybercriminal industry of late. From humble beginnings as a SMS stealer, iBanking became a powerful Android Trojan used to steal banking credentials from victims. The $5,000 price tag for this malware meant the clientele was mostly organized cybercriminal games with a sizeable amount of liquid capital, keeping the customer base and global infection rate minimal. That was until the iBanking source code was leaked onto the web in February, and since then iBanking activity has increased dramatically.

The Android iBanking Trojan is used to overcome the 2-step verification process that many modern banks use. Online banking often requires that the bank customer enter a special PIN number to log in to their bank account, these PIN numbers are sent via SMS message to the customers mobile device. Android iBanking Trojans seek to intercept these PIN numbers and so cybercriminals can gain access to the victim’s bank account.

Often the victim’s computer will already be infected with banking malware that will prompt the user to download an Android application for additional security. The user enters their contact information to receive the Android security app and they are sent a link to download the Android iBanking Trojan. Once installed on the device the iBanking Trojan begins to monitor all incoming and outgoing SMS messages and uploading their contents to a remote server controlled by the cybercriminals. Once the cybercriminals have obtained to the banking credentials they can then use the PIN number to gain access to the victim’s online bank account.

The Android iBanking Trojan is capable of stealing more than SMS message, as proven by twitter user ReVOLVeR who unintentionally uncovered the iBanking source code and may have been party to it being published on the internet. ReVOLVeR was investigating the theft of 65,000 Bitcoins from a friend which he attributed to a mobile device infected with the iBanking Trojan app. ReVOLVeR believes that the iBanking Trojan was used to steal the username and password for the Bitcoin wallet containing the Bitcoin fortune. The investigation was live tweeted from ReVOLVeR’s twitter account and in the process of the investigation this hacker demonstrated some of the other information that can be stolen by the Android iBanking Trojan.

The malicious features of the Android iBanking Trojan include the following:

  • Stealing phone information –phone number, ICCID, IMEI, IMSI, model, operating system
  • Intercepting incoming/outgoing SMS messages and uploading them to the control server
  • Intercepting incoming/outgoing calls and uploading them to the control server in real time
  • Forwarding/redirecting calls to an attacker-controlled number
  • Uploading contacts information to the control server
  • Recording audio on the microphone and uploading it to the control server
  • Sending SMS messages
  • Getting the geolocation of the device
  • Access to the file system
  • Access to the program listing
  • Preventing the removal of the application if administrator rights are enabled
  • Wiping/restoring phone to the factory settings if administrator rights are enabled
  • Obfuscated application code

While the source code for this Trojan is available for free online it is likely that organized groups of cybercriminals will likely continue to pay for the Malware-as-a-Service to receive software updates and product support.

Common Sense Protection

All too often we do not listen to our inner skeptic but we must learn to. The internet is rife with social engineering tricks and scams that are aimed at embezzling your money or sensitive information. Be safe and be skeptical.

  • Always research applications prior to installing any kind of software on your computer or mobile device. Review the developer’s website and look for customer service details, also review the developer’s social media pages to see what other people are saying about them.
  • Stay current with updates. Updates often contain patches to newly discovered security vulnerabilities and help to protect against cyber attacks.
  • Install and use some kind of antivirus software. AV software is designed to inform you before you make a terrible software mistake.

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email:; Twitter: @James_AfA