Malicious iBanking application with new uninstall countermeasures

Date of publication: 16/03/2016, Malgorzata Debska

Our CERT laboratory recently received a sample of iBanking malware (along with a malicious JavaScript code snippet associated with it), posing as the mobile Trusteer Rapport antimalware solution. The attack scenario isn’t new, it has been used many times in the past, but recently we see an increase in attacks on Polish users of electronic banking using this method. In comparison to previous, similar programs, the analyzed application has proven much more difficult to remove and it’s code was much better obfuscated.

Attack scenario:

The infection scheme is similar to those described previously by our team. The victim PC is infected with malware that supports “webinjects”, i.e. small JavaScript snippets that are injected to the website code. Webinjects are prepared individually for each bank. It is downloaded by malware from C&C and executed after the user logs into his e-banking account. In this case, the criminals decided to not only access data for online banking but also to take control of the mobile phone in order to gain one-time confirmation passwords.

After entering the bank’s website, the infected client receives a pop-up message asking him to select the smartphone model and enter a phone number. After entering the data, malicious code “validate” the number in a rather funny way – comparing whether it differs from the numbers hardcoded in webinject:

var bad_numbers = [
'111111111','222222222','333333333',
'444444444','555555555','666666666',
'777777777','888888888','999999999',
'000000000','123456789','987654321',
'123456789','987654321','911111111',
'922222222','933333333','944444444',
'955555555','966666666','977777777',
'988888888','999999999','900000000',
'123123123','321321321','111222333'
];

When the entered number is considered valid, which apparently is not very difficult, the server sends an SMS to the customer with a request to install an application from the link provided in the message body. The main purpose of this application, according to information on the website, is to improve security of the client’s phone. The user also gets a “unique” six-digit activation code, which he has to enter during the installation to activate the application. The activation code is randomly generated, obviously.

generateReqCode: function () {
var min = 10000;
var max = 99999;
var part1 = Math.ceil(Math.random() * (max - min) + min);
var str = part1.toString();
var n1 = parseInt(str.substr(0, 1)) * 10 + parseInt(str.substr(3, 1));
var n2 = parseInt(str.substr(1, 1)) * 10 + parseInt(str.substr(4, 1));
var check = (n1 + n2) * parseInt(str.substr(2, 1));
check = check.toString();
check = check.substr(check.length - 1);
return str + check;

After installing the application, we see that it looks like the popular mobile antimalware program – Trusteer Rapport. This is, of course, not the first time when criminals try to impersonate a well-known brand to lull the victim into a false state of security and to take control of the device.

What should immediately alert us is the fact that the application asks for administrator privileges and the following permissions:

  • read/write/send/receive text messages to any number
  • get contact list
  • block phone screen
  • redirect phone calls by using the *21*phone_number# USSD code
  • get phone logs
  • get any data from an SD card
  • get informations about running apps
  • kill running processes

After entering the activation code, we get the return code that must be entered on the bank website. In this way, the phone number is associated with a specific user of electronic banking.

After verifying the fact of installing a malicious application, a login window is displayed on the injected bank webiste, and after entering the login and password, they are sent to the criminal C&C servers. In this way, cybercriminals not only gain user credentials but also take control of the phone and one-time confirmation codes.

Mobile app possibilites

At first sight, the application looks like a normal antivirus scanner. In fact, it’s not what it looks like, and its main task is to redirect all the stolen data to criminal’s phone number, stored in application’s database. Moreover, immediately after installation “scanner” kills all running sms applications (GoogleTalk, GOSMS) forcing the phone to use the standard application. This allows the application to easily gain control of incoming/outgoing messages.

Uninstall app

The authors of this application made uninstalling it a difficult task. Due to the fact that user gave it administrator privileges during an installation, we have to revoke them first. Apart from the warning messages and locking up the screen, it turns out to be quite simple. The problems start when you try to uninstall the “scanner”. Regardless of whether you’re trying to do this using a standard application manager from phone settings, or using an external application, the program makes uninstall impossible by displaying the message asking the user to re-grant administrator privileges. The pop-up window turn on the top of all applications installed on the phone and all system messages.

The application also adds receiver events, listening to android.intent.action.BOOT_COMPLETED allowing it to display the same message immediately after the phone startup. Removing the application from the phone’s menu seems to be impossible in this case. What can we do to stop it before using the last resort – a factory reset?

To solve this problem we will use a popular tool for managing phone from the computer command line: ADB (Android Debug Bridge). After turning the USB debugging option on on the phone and revoking administrator privileges from a malicious application, plug in your phone to the PC and run the adb.

At the beginning, to be able to uninstall the application, we need to check its name. This can be done using this command:

adb shell 'pm list packages -3'

It will list the names of all non-system apps installed on the phone. The next and final step is to uninstall the relevant package by entering:

adb uninstall com.truster.secure

Summary

Attacks on mobile phones are becoming increasingly popular form of gaining full accesses to victim’s bank account. In this particular situation, the victim computer and phone must have been infected. However, we must remember that sometimes an infection of your phone is enough to gain control of your bank account. Therefore, during installation of new phone application you should carefully analyze all permissions which it requests and if they seem suspicious – decline and abort the installation.

Hashes:

aa6f87e50e9df2a88fc2146ba477abe8099459012ed1b9d4f6c03ec54ed2f754
30f75776b1ea0df28186e0e6a141c039e50089e80becb62918915643249fb726