iBanking malware can spy on Android users
Security firm ESET has warned it has detected a malicious Android application capable of spying on a users’ communications.
The iBanking app has capabilities including capturing incoming and outgoing SMS, redirecting incoming voice calls and even capturing audio using the device’s microphone.
The app is being sold on underground forums, and has been used by several banking trojans in an attempt to bypass mobile two-factor authentication methods used by some financial institutions and web services firms.
ESET said an analysis of the banking trojan Win32/Qadars has uncovered a Webinject method that seeks to lure Facebook users into installing iBanking by disguising it as a two-factor authentication app for the social network.
This is the first time ESET has seen such a mobile application targeting Facebook users for account fraud, as the download would enable attackers to circumvent the social network’s own two-factor authentication.
Alternatively, cybercriminals may simply be using the Webinject method as a way to ensure iBanking is installed on devices so bot masters can make use of its other spying functionalities.
In a blog post, ESET malware researcher Jean-Ian Boutin said now that mainstream web services are being targeted by mobile malware, the use of Webinjects could become more prevalent.
“Will we see content injection functionalities and mobile malware used in non-financial types of malware so that they can take over accounts from popular web services? Time will tell, but because of the commoditisation of mobile malware and the associated code source leaks, this is a distinct possibility,” he said.
Too much of a good thing: Australia's cyber overlap issue
Recent research indicates many organisations may have too many security systems with overlapping...
The true cost of cyber attacks
The average annual expense of recovering and dealing with cyber attacks has surpassed AU$4.1...
Tackling the human element in modern authentication: the phishing-resistant user
Integrating human-centric cybersecurity strategies is not merely an option but a necessity in...