Banking Trojan Enters Mobiles via Facebook

Purveyors of a notorious mobile banking Trojan have started targeting Facebook users to infect Android smartphones.

The Net predators use a desktop Trojan to leverage a Facebook socializer to install banking malware on their phone, ESET malware researcher Jean-Ian Boutin discovered last week.

The desktop bad app, Win32/Qadars, waits for an infected machine to open a Facebook page. When it does, it injects code into the page asking a user to participate in a new safety program that requires a mobile phone number.

Once the phone number is entered on the page, the target receives an SMS message with a link to a software download allowing participation in the safety program. The software, of course, is malware.

“Usually, we’ll see the malicious code injected into a banking site,” Ian-Boutin told TechNewsWorld. “This is the first time we saw a general website being targeted by this kind of attack.”

Too Many Working Parts

Since there are more Facebook users than there are customers of any particular bank, the attack could have a bigger payoff.

“It’s a way for them to expose more mobile phones to their malware,” Ian-Boutin explained.

The attack is not easy to carry out. The attackers have to persuade users to install software on their Android phones, and since the software comes from an unauthorized source, they have to con them into turning off the default protections in a phone to permit the installation.

“There are a lot of points of failure,” Ian-Boutin acknowledged. “The success rate diminishes as the steps increase to get the malicious app on your phone, but we know some users follow these steps because they believe that the steps were sent by the Facebook team.”

As Byzantine as the Facebook attack is, it illustrates that the Android ecosystem isn’t the playground for malware writers it used to be.

“Since Google has stepped up their game in filtering malicious apps from the Google Play store, Android malware authors have had to resort to novel and convoluted methods for getting their malware installed on users’ devices,” Jeff Davis, vice president of engineering for Quarri Technologies, told TechNewsWorld.

The technique used in the Facebook attack is one that’s becoming a standard practice among hackers: Infect a PC, then use that position to inject code into the PC’s Web browser when it lands on a trusted site. Then tell the user to “sideload” an Android app, per a trusted site, ostensibly for security reasons.

“The attack even includes instructions on how to change their Android settings to allow sideloading, which should be a big red flag but apparently isn’t,” Davis said.

PC as Culprit

“This leads to a couple of conclusions,” he added.

“First, the PC is still the weak link in Internet security, both for individuals and for enterprises. Now, more than ever, users and organizations really need to run modern antimalware solutions on computers used to access the Internet,” Davis urged.

“Second, sideloading is a major vector for malware getting installed on Android devices,” he pointed out.

“Although Android provides a warning about sideloading making your device more vulnerable when you enable it, it seems that warning isn’t strong enough,” Davis observed. “Maybe they need bold, blinking red text saying, ‘Legitimate apps are rarely installed this way! You’re probably installing malware on your device!'”

As for Facebook, it’s looking into the problem.

“It’s not uncommon for malware that has infected a person’s computer through some means to spoof the appearance of popular sites in an attempt to trick people into revealing sensitive information,” Facebook spokesperson Jay Nancarrow told TechNewsWorld.

“Although this activity takes place away from our servers, we are studying the malware to help shut down these scams,” he added.

LaCie Latest ColdFusion Victim

Adobe’s ColdFusion software has gained popularity among Web developers because of its power and ease of use. It’s gained popularity among hackers because of its unpatched vulnerabilities.

Those vulnerabilities have led to break-ins at high-profile websites like Smuckers and SecurePay. Computer storage maker LaCie was added to that list last week.

LaCie, now owned by Seagate, revealed that Web marauders have been snatching credit card numbers and customer information for its online store for almost a year. Moreover, the breach may have lasted longer if the FBI hadn’t brought it to the company’s attention.

“Patterns are not always evident that there’s a breach,” Dipto Chakravarty, an executive vice president at ThreatTrack, told TechNewsWorld. “If data is removed in clever chunks, you may not recognize that there’s a breach.”

That’s what makes Advanced Persistent Threats so effective — and popular. “It’s becoming more and more common,” Chakravarty said, “and more difficult to catch.”

Breach Diary

  • April 14. Pew research Center releases survey findings saying 18 percent of online adults have had important personal information stolen, a jump of 7 percent from July 2013; and 21 percent have had an email or social media account compromised.
  • April 14. The Guardian and The Washington Post win 2014 Pulitzer prizes for news stories revealing widespread secret surveillance by the National Security Agency largely based on documents leaked by whistleblower Edward Snowden.
  • April 14. Antivirus software maker Avast releases survey results finding that 21 percent of Windows XP users are unaware that Microsoft ended support of the product April 8, and 27 percent of the OS’ users don’t plan on doing anything now that support has ended.
  • April 15. NSS Labs releases report rating End Point Protection products. McAfee VirusScan Enterprise led the field, blocking 100 percent of socially engineered malware programs on download, followed by Symantec (98 percent), Trend Micro (98 percent), Bitdefender (94 percent) and Fortinet (92 percent).
  • April 16. Apple, Asurion, AT&T, Google, HTC, Huawei, Motorola Mobility, Microsoft, Nokia, Samsung, Sprint, T-Mobile, U.S. Cellular and Verizon Wireless agree to include “kill switches” in all mobile phones sold by the companies starting in July 2015.
  • April 16. Google reveals it has developed technology capable of cracking CAPTCHA security puzzles without human intervention. CAPTCHA puzzles are used to deter abuse of email and other online services by spammers and Net predators.
  • April 16. Security researcher Fredrik Strmberg confirms Heartbleed bug can be exploited to steal private keys to Virtual Private Networks.
  • April 16. Royal Canadian Mounted Police arrest Stephen Arthuro Solis-Reyes, 19, for allegedly exploiting Heartbleed bug to steal taxpayers’ records from the Canada Revenue Agency.
  • April 16. AlgoSec releases survey of 142 information security and network operations professionals, application owners and compliance officers finding that nearly three-quarters of them rated accidental data leakage or malicious behavior by insiders as their No. 1 risk, up from less than two-thirds last year.
  • April 17. Michaels Stores confirms it suffered data breach that could impact three million customers. Company is offering one year of credit monitoring and fraud assistance services to affected companies.
  • April 17. Pennsylvania healthcare conglomerate UPMG reports as many as 27,000 employees may be at risk from data breach first reported in February, when it estimated only a few dozen workers would be affected.
  • April 17. Plug-Up International announced first FIDO-compliant USB token for secure online authentication.

Upcoming Security Events

  • April 23. Tools of the Hardware Hacker Trade. 2 p.m. ET. Webinar sponsored by Black Hat. Free with registration.
  • April 23. Erasing the Chaos When Dealing with Data Security Incidents. 2 p.m. ET. webinar sponsored by IDexperts. Free with registration.
  • April 26. BSides Chicago 2014. The Abbey Pub, 3420 W. Grace, Chicago. Free.
  • April 27-28. BSides Dubai 2014. Free.
  • April 29. BSides London 2014. Kensington & Chelsea Town Hall, Horton Street, London. Free.
  • April 29. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • April 29-May 1. InfoSecurity Europe. Earl’s Court, London. Admission: Free.
  • April 30. SecureWorld Expo. Hood Center, 452 South Anderson Rd., Rock Hill, SC. One day pass, $165; SecureWorld Plus, $545; VIP, $315; exhibits and open sessions, $25.
  • May 7. The Security of Things Forum. 8 a.m.-4 p.m. ET. Sheraton Commander Hotel, 16 Garden St., Cambridge, Mass. Registration: $125, plus $4.12 fee.
  • May 9-10. B-Sides Boston 2014. New England Research & Development Center, Kendall Square, Cambridge, Mass. Fee: $20.
  • May 9-10. B-Sides Algiers 2014. Ecole Nationale Suprieure d’Informatique, Oued Smar, Algiers. Free.
  • May 10. B-Sides San Antonio 2014. Texas A&M, San Antonio-Brooks City Base. Fee: $10.
  • May 13. Kansas City SecureWorld Expo. Kansas City Convention City, 301 West 13th Street #100, Kansas City, Mo. One Day Pass: $165; SecureWorld Plus, $545; exhibits and open sessions, $25.
  • May 17. B-Sides Nashville 2014. Lipscomb University Camps, Nashville, Tenn. Free.
  • May 17. B-Sides New Orleans 2014. Hilton Garden Inn, New Orleans Convention Center, 1001 South Peters Street, New Orleans. Fee: $10.
  • May 17. B-Sides Cincinnati 2014. Main Street Theater, Tangeman Hall, University of Cincinnati, Cincinnati. Free registration, pizza and beer.
  • May 20. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • May 21. Houston SecureWorld. Stafford Centre, 10505 Cash Road, Stafford, Texas. One Day Pass: $165; SecureWorld Plus, $545; exhibits and open sessions, $25.
  • June 3. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 5. Cyber Security Summit. Sheraton Premiere, Tysons Corner, Va. Registration: $250; government, $50.
  • June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 21-30. SANS Fire. Hilton Baltimore, 401 W. Pratt St., Baltimore. Courses: by April 30, $1,249-$4,695; by May 14, $1,249-$4,845; after May 14, $1,249-$5,095.
  • Aug. 2-7. Black Hat USA. Mandalay Bay, Las Vegas. Registration: through June 2, $1,795; through July 26, $2,195; after July 26, $2,595.
  • Aug. 7-10. Defcon 22. Rio Hotel & Casino, Las Vegas. Registration: $220.
  • Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif.
  • Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50. Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels