RSA reveals that the company’s researchers have stumbled upon the source code for the iBanking mobile bot on a cybercrime forum. iBanking is a relatively new threat, but the fact that its source code has been leaked can be highly beneficial for botmasters.
iBanking emerged late last year, being sold at around $5,000 (€3,650). The mobile threat is capable of more than just intercepting SMS messages. It can also redirect calls, record audio using the infected device’s microphone, and even steal data.
The bot is being distributed via HTML injections on banking websites or as a so-called security application for Android devices.
The source code found by researchers is for the server-side software, including the control panel, which provides an overview of the botnet and enables the controller to send various commands to infected smartphones.
“What’s interesting about the control panel is that it is capable of hosting several ‘sandboxed’ campaigns (called on the panel ‘projects’). This could support an iBanking-as-a-Service model in which the panel owner could offer it as a service to several fraudsters, each only having access to their attack campaign,” RSA's Daniel Cohen wrote in a blog post.
In addition to the source code, a builder that can be used to unpack the existing APK file and repack it with different configurations has also been leaked. This enables cybercriminals to create their own malicious applications.
“With the apparent code leak, Trojan botmasters are now in a better position to incorporate this advanced mobile counterpart in their PC-based attacks, affording them control over their victims’ smartphones,” Cohen explained.
“What’s more, the panel’s ‘sandboxing’ feature, supporting multiple unrelated attack campaigns (or mobile botnets), may encourage mobile-botnet-as-a-service offerings in the underground marketplace.”