Download - iBanking - a botnet on Android
![Page 1: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/1.jpg)
iBanking – a Botnet on Android 1
iBanking – a Botnet on Android
Stephen Doherty Senior Threat Intelligence Analyst
![Page 2: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/2.jpg)
iBanking - Agenda
iBanking – a Botnet on Android 2
iBanking – what is it? 1
The Evolution of iBanking 2
There’s no Honour among Thieves 3
![Page 3: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/3.jpg)
iBanking – a Botnet on Android 3
iBanking
What is it?
![Page 4: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/4.jpg)
What does the end user see?
iBanking – a Botnet on Android 4
Polish Fake AV Scanner The Many Faces of iBanking
![Page 5: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/5.jpg)
The Capabilities of iBanking?
Features of iBanking
Steal Device Information
Intercept SMS
Intercept Phone Calls
Forward/Redirect Calls
Steal Address Book
Record Audio on Microphone
Send SMS
Get geo-location
List files on file system
List running applications
Prevent uninstallation
Factory Reset
iBanking – a Botnet on Android 5
Controllable over SMS/HTTP
![Page 6: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/6.jpg)
iBanking Control Panel
• Control Multiple iBanking botnet from a single UI
iBanking – a Botnet on Android 6
![Page 7: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/7.jpg)
iBanking Control Panel
• Simple dropdown to Issue commands
iBanking – a Botnet on Android 7
![Page 8: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/8.jpg)
iBanking Control Panel
Majority of control numbers in Russia
iBanking – a Botnet on Android 8
![Page 9: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/9.jpg)
How do I get infected with iBanking?
iBanking – a Botnet on Android 9
![Page 10: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/10.jpg)
Getting infected with iBanking
iBanking – a Botnet on Android 10
![Page 11: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/11.jpg)
Getting infected with iBanking
iBanking – a Botnet on Android 11
![Page 12: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/12.jpg)
But that’s not all!
• My PC is secure
• I wouldn’t fall for this type of social engineering scam
iBanking – A Botnet on Android 12
Chance Lodging software in Google Play - GFF
![Page 13: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/13.jpg)
iBanking – a Botnet on Android 13
The Evolution of iBanking
How has it evolved?
![Page 14: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/14.jpg)
iBanking – pre sale version in the wild (August 2013)
• Earliest iBanking varient discovered
• Simple call redirector/SMS sniffer
• Control Server Registrant Email
iBanking – a Botnet on Android 14
![Page 15: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/15.jpg)
Russian private forum (September 17th, 2013)
iBanking – a Botnet on Android 15
![Page 16: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/16.jpg)
iBanking source code leaked (February 2nd, 2014)
iBanking – A Botnet on Android 16
![Page 17: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/17.jpg)
iBanking source code leaked (February 2nd, 2014)
iBanking – a Botnet on Android 17
![Page 18: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/18.jpg)
Android 0-day exploit in work (March 6th, 2014)
iBanking – a Botnet on Android 18
“Work! In the near future is expected to announce in my workshop! 0-day vulnerability in android! :-)”
![Page 19: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/19.jpg)
iBanking – a Botnet on Android 19
There is no honour among thieves
A hackers quest to recover 65k stolen bitcoins
![Page 20: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/20.jpg)
ReVOLVeR
https://twitter.com/rev_priv8
iBanking – a Botnet on Android 20
![Page 21: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/21.jpg)
The Priv8 Team
iBanking – a Botnet on Android 21
![Page 22: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/22.jpg)
Wanna sign up?
iBanking – a Botnet on Android 22
![Page 23: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/23.jpg)
Hey I lost 65k BTC, can you help me?
• Phones are secure right?
– Store your Bitcoin wallet/credentials on the phone
• ReVOLVeR gets busy reversing!
– Command & Control
• myredskins.net
iBanking – a Botnet on Android 23
![Page 24: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/24.jpg)
iBanking Control Panel – Admin login
• Authentication required!
iBanking – A Botnet on Android 24
http://[IBANKING_DOMAIN]/iBanking/sendFile.php
![Page 25: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/25.jpg)
There be treasure?
iBanking – A Botnet on Android 25
![Page 26: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/26.jpg)
ReVOLVer – Hacking the BBC
iBanking – A Botnet on Android 26
![Page 27: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/27.jpg)
BBC confirms Hacking incident
iBanking – a Botnet on Android 27
![Page 28: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/28.jpg)
ReVOLVer – Reselling iBanking
iBanking – a Botnet on Android 28
January 6th, 2014
![Page 29: iBanking - a botnet on Android](https://reader031.vdocuments.mx/reader031/viewer/2022012321/5479932b5906b507358b459f/html5/thumbnails/29.jpg)
Thank you!
Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
iBanking – a Botnet on Android 29
Stephen Doherty,
Senior Threat Intelligence Analyst,
Attack Investigations Team,