Home / malware Android.iBanking
First posted on 08 March 2014.
Source: SymantecAliases :
There are no other names known for Android.iBanking.
Explanation :
Android package file
The Trojan may arrive as a package with the following characteristics:
Package name: com.BioTechnology.iClientsService[NUMBER]
Note: [NUMBER] can be one or more digits.
Version: 1.0
Name: antivirus.apk
Permissions
When the Trojan is being installed, it requests permissions to perform the following actions:
Access information about networksAccess information about Wi-Fi networksAccess location information, such as GPS informationChange network connectivity stateChange Wi-Fi connectivity stateCheck the phone's current stateInitiate a phone call without using the Phone UI or requiring confirmation from the userModify global audio settingsOpen network connectionsRead and create contacts dataRead, monitor, create and send SMS messagesStart once the device has finished bootingUse the device's mic to record audioWrite to external storage devices
Installation
Once installed, the application will display an icon with a green and black shield on a green background.
Functionality
The Trojan is disguised as a mobile antivirus application.
Once executed, the Trojan sends an SMS message to +79091029020 with the following text:
i am [SIM SERIAL NUMBER]
Note: Where [SIM SERIAL NUMBER] is the compromised device's SIM card serial number.
Next, the Trojan checks for an active data connection. If successful, it will send the following HTTP POST to the controller domain:
[http://]sendtwitter.com/iBanking/sms/inde[REMOVED]
The Trojan then opens a back door on the compromised device and may perform the following actions:
Steal SMS messagesRecord phone callsRetrieve device information
If the Trojan is running as Device Administrator, it can remotely wipe the compromised device.Last update 08 March 2014
