14 DAY TRIAL // The Android/OpFake and the Android/Marry malware families, two banking trojans targeting mobile devices, have (improperly) stored their C&C servers inside Facebook Parse, the company's BaaS (Backend-as-a-Service) offering.
BaaS is a cloud-based service that provides mobile app developers with ready-made tools, in the form of APIs, on which they can build the backend (server-side section) of their Android or iOs applications.
The campaigns were actually discovered in another study
We previously detailed how, most of the times, app developers don't follow security guidelines provided by BaaS providers and thus create insecure mobile applications.
Back in November, researchers from the Technical University in Darmstadt, Germany, announced a report in which they analyzed over 2 million mobile applications built on BaaS backends and discovered more than 56 million data records exposed in the cloud.
During their research, they also found two mobile apps that were using a BaaS-powered backend to control two malware delivery campaigns. Since they were not malware threat analysts, the researchers called for the help of the Intel Security group to properly analyze the two malware campaigns.
According to Intel, these two campaigns used Facebook Parse accounts and the associated infrastructure as a command and control (C&C) server for their mobile banking trojans.
Hackers were committing SMS fraud and stealing credit card numbers
Via these two mobile banking trojans, data was stolen from mobile phones, sent to the Facebook Parse databases, where it was analyzed, and then the infected phone would receive instructions from the server, based on the stolen data.
Attackers were able to send SMS messages to affiliate numbers, pocketing themselves some nice profits, but if credit card numbers were found on the device, the trojan was also able to exfiltrate it from the device.
Fortunately, the creators of both mobile banking trojans failed to heed the guidelines provided by the Facebook Parse team and left numerous security holes in their BaaS backend.
Attackers used five Facebook Parse accounts for their campaigns
"In total, we found five Facebook Parse–exposed accounts, four of them used by Android/OpFake and one, [...] used by Android/Marry during our two-month study period," said Intel's Carlos Castillo.
The researcher also claims that some of the accounts were inactive, probably used in older campaigns, while the rest were still executing code, meaning the attackers were still using them to steal financial data from infected phones.
"The data shows that Android/OpFake gathered almost 170,000 SMS messages from infected devices," Mr. Castillo observed, "and that more than 20,000 commands were successfully executed, most of them SMS tasks primarily for financial fraud."
Additionally, some credit card numbers were also stolen, but no more than 200.
The biggest victim in the campaign was an Eastern European bank that received 5,350 SMS messages to one of its account management numbers, where various illegal operations were performed, either by transferring funds to other accounts or by refilling phone numbers with credit, so more illegal SMS fraud can be carried out.
These two malware campaigns were active from late June to the end of July. Facebook was notified at the start of August and closed the five accounts.
