Analysis of IBanking malware

The bad guys are now increasing their attack on mobile. A malware toolkit called IBanking is being sold up to US$5,000 in underground. Last February, the source code was leaked and following this is an uptick of occurrence of this malware in the wild. You can read the full story in Symantec blog post.

A number of samples were submitted to contagio and with my reversing skill and curiosity kicking in, I analyzed one of the sample.

Filename: 1F68ADDF38F63FE821B237BC7BAABB3D_IBanking_Chase.apk

When you first start the app, it will force itself to be installed as a device administrator so that even if you cancelled, it will re-launch the screen where it asks the user again if you want to install it as administrator. I am not sure how it was programmatically done. 

Installing this app as administrator enables the app to wipe your data and lock your phone.

This malware disguises itself as an anti-virus program but it just fakes the scan and do some nasty things.

Command and Control

This bot can communicate and accept commands from a web server and a phone number. The following are the CnC servers for this malware.

• myredskins.net
• mynamesmith.com
• +79067075145
• +790670751454

The servers and numbers above are from Russia.

The CnC web servers are defined in res/values/arrays.xml

It iterates to the list of its CnC web servers and check if they are active via http POST to:

• {domain}/iBanking/sms/ping.php

If the server replied as expected,  it will POST the following information to {domain}/iBanking/sms/index.php

• bot_id (defined in strings.xml)
• telephone number
• iccid
• device model
• OS version
• IMEI
• control_number (this is the CnC phone number)

This bot can accept commands from its CnC via SMS or HTTP. It intercepts any incoming SMS  and checks the number.

Via http it reads command from:

• {domain}/iBanking/sms/sync.php

It is looking for the following command strings:

• sms start - tell the bot to start intercepting and reading SMS
• sms stop - tell the bot to stop intercepting and reading SMS
• call start  - forward calls to +79067075145
• call stop - stop call forwarding
• change num -  tell the bot to change the CnC phone number
• sms list - read SMS inbox and sent messages and POST to {domain}/iBanking/getList.php
• call list - read call history, e.g., INCOMING, OUTGOING and MISSED calls and POST to {domain}/iBanking/getList.php
• start record - start audio recording. The file is saved as {externaldir}/Android/obb/{dd-MM-yyyy_HH-mm-ss}.txt. The files are then sent to {domain}/iBanking/sendFile.php
• stop record -   stop recording.
• sendSMS  - send intercepted SMS to the CnC phone number.
• contact list - get contact list
• wipe data - wipe data if device administrator is enabled.
• ping - check if the CnC server is alive

Looking at how this piece of malware is capable of, it was quite scary seeing those features packed in a single malware. And it is not far fetched to see malwares soon with more powerful features. It is still advisable for users to always be smart and watchful of things they visit and install into their system.